Loading ...

Play interactive tourEdit tour

Analysis Report GZe6EcSTpO

Overview

General Information

Sample Name:GZe6EcSTpO (renamed file extension from none to exe)
Analysis ID:380813
MD5:87e0355c098d2dfd890ae4c9da26bbdd
SHA1:5f300f4dd15cccbe51cd4df51ac30b7c2c84fc75
SHA256:570c3c298c2d30bfd7d824b0ec8e28b3efa51bf269297348fc5fc30cb81a2d7e
Tags:1512361453
Infos:

Most interesting Screenshot:

Detection

Mimikatz HawkEye Nanocore xRAT CobaltStrike Codoso Ghost Coinhive Crypto Miner GhostRat Mini RAT Mirai Nukesped PupyRAT Quasar RevengeRAT ComRAT UACMe WebMonitor RAT Xmrig Xtreme RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Hacktool Mimikatz
Detected HawkEye Rat
Detected Nanocore Rat
Detected xRAT
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected CobaltStrike
Yara detected Codoso Ghost
Yara detected Coinhive miner
Yara detected Crypto Miner
Yara detected GhostRat
Yara detected Mimikatz
Yara detected Mini RAT
Yara detected Mirai
Yara detected Nukesped
Yara detected Powershell download and execute
Yara detected PupyRAT
Yara detected Quasar RAT
Yara detected RevengeRAT
Yara detected Turla ComRAT XORKey
Yara detected UACMe UAC Bypass tool
Yara detected WebMonitor RAT
Yara detected Xmrig cryptocurrency miner
Yara detected Xtreme RAT
Deletes itself after installation
Found Tor onion address
Found strings related to Crypto-Mining
Modifies existing user documents (likely ransomware behavior)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes a notice file (html or txt) to demand a ransom
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • GZe6EcSTpO.exe (PID: 5884 cmdline: 'C:\Users\user\Desktop\GZe6EcSTpO.exe' MD5: 87E0355C098D2DFD890AE4C9DA26BBDD)
    • vnwareupdate.exe (PID: 2540 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU= MD5: FA8AFFACE280644885152DE7CD3234EE)
      • vnwareupdate.exe (PID: 4456 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1092' MD5: FA8AFFACE280644885152DE7CD3234EE)
      • vnwareupdate.exe (PID: 6352 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1136' MD5: FA8AFFACE280644885152DE7CD3234EE)
      • vnwareupdate.exe (PID: 6404 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1244' MD5: FA8AFFACE280644885152DE7CD3234EE)
      • vnwareupdate.exe (PID: 6432 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1236' MD5: FA8AFFACE280644885152DE7CD3234EE)
      • vnwareupdate.exe (PID: 7044 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1256' MD5: FA8AFFACE280644885152DE7CD3234EE)
      • vnwareupdate.exe (PID: 5432 cmdline: 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1300' MD5: FA8AFFACE280644885152DE7CD3234EE)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\keywords.txtHacktool_Strings_p0wnedShellp0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.csFlorian Roth
  • 0x2b9:$x7: Invoke-Mimikatz
C:\Users\user\Desktop\c2-iocs.txtAPT10_Malware_Sample_GenAPT 10 / Cloud Hopper malware campaignFlorian Roth
  • 0x2e85:$c2_1: 002562066559681.r3u8.com
  • 0x2ec5:$c2_2: 031168053846049.r3u8.com
  • 0x2f05:$c2_3: 0625.have8000.com
  • 0x2f3e:$c2_4: 1.gadskysun.com
  • 0xc729:$c2_5: 100fanwen.com
  • 0xd075:$c2_5: 100fanwen.com
  • 0x2f75:$c2_6: 11.usyahooapis.com
  • 0x2faf:$c2_7: 19518473326.r3u8.com
  • 0x2feb:$c2_8: 1960445709311199.r3u8.com
  • 0x302c:$c2_9: 1j.www1.biz
  • 0x305f:$c2_10: 1z.itsaol.com
  • 0x9d1f:$c2_11: 2012yearleft.com
  • 0xc87f:$c2_11: 2012yearleft.com
  • 0xfaaa:$c2_11: 2012yearleft.com
  • 0x3094:$c2_12: 2014.zzux.com
  • 0x647d:$c2_12: 2014.zzux.com
  • 0x11606:$c2_12: 2014.zzux.com
  • 0x30c9:$c2_13: 202017845.r3u8.com
  • 0x3103:$c2_14: 2139465544784.r3u8.com
  • 0x3141:$c2_15: 2789203959848958.r3u8.com
  • 0x31f2:$c2_16: 5590428449750026.r3u8.com
C:\Users\user\Desktop\c2-iocs.txtAPT_DeputyDog_FexelunknownThreatConnect Intelligence Research Team
  • 0x386:$180: 180.150.228.102
C:\Users\user\Desktop\filename-iocs.txtFVEY_ShadowBroker_Auct_Dez16_StringsString from the ShodowBroker Files Screenshots - Dec 2016Florian Roth
  • 0x9750:$s11: elatedmonkey
  • 0x979a:$s13: endlessdonut
  • 0x9622:$elf1: catflap
  • 0x9630:$elf1: catflap
  • 0x964f:$elf2: charm_penguin
  • 0x9662:$elf3: charm_hammer
  • 0x96d2:$elf5: dampcrowd
  • 0x9730:$elf8: ebbshave
  • 0x9740:$elf9: eggbasket
  • 0x9777:$elf10: toffeehammer
  • 0x97ac:$elf11: enemyrun
  • 0x97d2:$elf12: envoytomato
  • 0x97e3:$elf13: expoxyresin
  • 0x9803:$elf14: estopmoonlit
  • 0x98a8:$elf17: ghost_sparc
  • 0x98c8:$elf18: jackpop
  • 0x98fa:$elf19: orleans_stride
  • 0x9933:$elf21: seconddate
  • 0x9943:$elf23: skimcountry
  • 0x9954:$elf24: slyheretic
  • 0x9964:$elf25: stoicsurgeon
C:\Users\user\Desktop\hash-iocs.txtEquationDrug_HDDSSD_OpEquationDrug - HDD/SSD firmware operation - nls_933w.dllFlorian Roth @4nc4p
  • 0x10fca:$s0: nls_933w.dll
  • 0x11045:$s0: nls_933w.dll
Click to see the 2 entries

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmpAmplia_Security_ToolAmplia Security Toolunknown
  • 0x9d0:$a: Amplia Security
0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmpwebshell_r57shell127_r57_iFX_r57_kartal_r57_antichatWeb Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.phpFlorian Roth
  • 0xbf8:$s8: if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }
  • 0xd38:$s9: foreach($values as $k=>$v) {$values[$k] = addslashes($v);}
0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmpSafe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_phpSemi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txtNeo23x0 Yara BRG + customization by Stefan -dfate- Molls
  • 0xe79:$s0: Safe0ver
0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmpAmplia_Security_ToolAmplia Security Toolunknown
  • 0x191d0:$a: Amplia Security
  • 0x19180:$c: getlsasrvaddr.exe
  • 0x26140:$d: Cannot get PID of LSASS.EXE
  • 0x262c0:$e: extract the TGT session key
0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmpSQLMapThis signature detects the SQLMap SQL injection toolFlorian Roth
  • 0x2a6c8:$s1: except SqlmapBaseException, ex:
Click to see the 1322 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: GZe6EcSTpO.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: GZe6EcSTpO.exeVirustotal: Detection: 52%Perma Link
Source: GZe6EcSTpO.exeReversingLabs: Detection: 41%
Yara detected Quasar RATShow sources
Source: Yara matchFile source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected RevengeRATShow sources
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02CA0AA0 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptReleaseContext,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02CA0380 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02CA0E90 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02DB0AA0 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptReleaseContext,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02DB0380 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02DB0E90 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02E10AA0 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptReleaseContext,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02E10380 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02E10E90 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C102A0 CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C10380 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C10310 CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C10120 CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C12460 CryptAcquireContextW,CryptReleaseContext,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C10AA0 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptReleaseContext,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C10E90 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C11070 CryptExportKey,CryptExportKey,GetLastError,CryptExportKey,GetLastError,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C2B740 CryptAcquireContextW,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptGenRandom,CryptReleaseContext,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,GlobalMemoryStatus,GetCurrentProcessId,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C115A0 CryptCreateHash,GetLastError,CryptSetHashParam,GetLastError,CryptSignHashW,GetLastError,CryptDestroyHash,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C11AC0 CryptCreateHash,GetLastError,CryptSetHashParam,GetLastError,CryptSignHashW,CryptDestroyHash,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C11880 CryptDecrypt,GetLastError,memcpy,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C0FE60 CryptEnumProvidersW,CryptEnumProvidersW,GetLastError,CryptEnumProvidersW,GetLastError,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02C00AA0 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptReleaseContext,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02C00380 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02C00E90 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,

Exploits:

barindex
Yara detected UACMe UAC Bypass toolShow sources
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Privilege Escalation:

barindex
Detected Hacktool MimikatzShow sources
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: $s1 = "http://blog.gentilkiwi.com/mimikatz" ascii

Bitcoin Miner:

barindex
Yara detected Coinhive minerShow sources
Source: Yara matchFile source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected Crypto MinerShow sources
Source: Yara matchFile source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected Xmrig cryptocurrency minerShow sources
Source: Yara matchFile source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Source: Yara matchFile source: C:\Users\user\Desktop\otx-c2-iocs.txt, type: DROPPED
Found strings related to Crypto-MiningShow sources
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: $s1 = "stratum+tcp://" ascii
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: $s7 = "-P /tmp && chmod +x /tmp/pools.txt" fullword ascii
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: $s8 = "\"algo\": \"cryptonight\", // cryptonight (default) or cryptonight-lite" fullword ascii
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: $s1 = "stratum+tcp://" ascii
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: reference = "https://coinhive.com/documentation/miner"
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: Smominru Monero mining botnet making millions for operators https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-koOilRig uses RGDoor IIS Backdoor on Targets in the Middle East https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iiOilRig uses RGDoor IIS Backdoor on Targets in the Middle East https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iicLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge Scale Monero Cryptocurrency Mining Operation using XMRig https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-cr
Source: GZe6EcSTpO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\vnwareupdate.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
Source: GZe6EcSTpO.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: $x1 = "\\BeyondExecV2\\Server\\Release\\Pipes.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\obj\\Debug\\exeruner.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\T+M\\Result\\DocPrint.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x3 = "\\RbDoorX64.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\UACElevator_RID2B2C.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\shellcodegenerator.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x4 = "\\Gubed\\Release\\Gubed.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\pstgdump_RID2A85.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x3 = "\\Release\\FakeRun.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "c:\\ntevt.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\BypassUAC.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\archer_lyl\\Release\\Archer_Input.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\ASGT.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = /\\Debug\\[a-z]{0,8}katz.pdb/ source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "ntfltmgr.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x4 = "\\Debug\\dloader.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\ScreenMonitorService\\Release\\smmsrv.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\obj\\Debug\\AllTheThings_RID2BB8.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x5 = "mfc42l00.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\injector.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\ChromePasswordDump\\Release\\FireMaster.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\svc.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "Desktop\\Htran\\Release\\Htran.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "C:\\Documents and Settings\\Administrator\\Desktop\\GetPAI\\Out\\IE.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\EWSTEW.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\beacon\\Release\\beacon.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\Release\\dloader.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\RoyalCli.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\BisonNewHNStubDll\\Release\\Goopdate.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\InjectDll.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "c:\\Development\\ghps\\nps\\nps\\obj\\x86\\Release\\nps.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Cobra\\Release\\Cobra.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\obj\\Debug\\Sharpire_RID2A4F.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\milk\\Release\\milk.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\NoPowerShell.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x6 = "\\x86\\Release\\word.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "D:\\gitpoc\\UAC\\src\\x64\\Release\\lpe.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s3 = "\\Release\\Loader.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "\\Release\\CnCerT.CCdoor.Client.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "D:\\Work\\Project\\VS\\HSSL\\HSSL_Unicode _2\\Release\\ServiceClient.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: BlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cStrider: Cyberespionage group turns eye of Sauron on targets http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauStrider: Cyberespionage group turns eye of Sauron on targets http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sau source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp
Source: Binary string: $x1 = "F:\\Projects\\Bot\\Bot\\Release\\Ism.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\obj\\Release\\Step7ProSim.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD9Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source: Binary string: $s0 = "\\Release\\AppInitHook_RID2B57.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\inject.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "bin\\oSaberSvc.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "C:\\WRK\\GHook\\gHook\\x64\\Debug\\gHookx64.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "C:\\Projets\\vbsedit_source\\script2exe\\Release\\mywscript.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "srv\\newclient\\lib\\win32\\obj\\i386\\mstsc.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s0 = "\\Decompress\\obj\\Release\\Decompress.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "ipsearcher_RID2B37\\ipsearcher_RID2B37\\Release\\ipsearcher_RID2B37.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\x64\\x64passldr.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s3 = "\\epathobj_exp\\x64\\Release\\epathobj_exp.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x5 = "Celesty Binder\\Stub\\STATIC\\Stub.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDbBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\reflective_dll.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "src\\build\\Release\\dllConfig\\dllConfig.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\obj\\Release\\Myrtille.Services.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\obj\\x86\\Debug\\secure_scan.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "\\Win32Project1\\Release\\Win32Project1.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\Release\\RTLBot.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x7 = "\\obj\\Release\\Potato.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\ClearLog\\Release\\logC.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "\\ms11080\\ms11080\\Debug\\ms11080.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x4 = "Agent Injector\\PolicyConverter\\Joiner\\obj\\Release\\Joiner.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x3 = "\\Release\\PhantomNet-SSL.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\CWoolger.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\Release\\Bot Fresh.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\BypassUacDll.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\Layer.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\kasper.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x3 = "Agent Injector\\PolicyConverter\\Inner\\obj\\Release\\Inner.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\not copy\\obj\\Debug\\not copy.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\amd64\\elrawdsk.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s16 = ".\\lsasrv.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\FTPCom_vs10\\Release\\Engine.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: BlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pd source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\PSAttack.pdb" fullword source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\WindowXarbot.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\objfre_w2k_x86\\i386\\guava.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s3 = "\\custact\\x86\\AICustAct.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "C:\\Users\\Lenovo\\Desktop\\test\\Release\\test.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\WinMain\\Release\\WinMain.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "Excalibur\\bin\\Shell.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\SkeyMan2.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD dBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDoBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD9Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDOBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDcBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDdBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDiBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDOThe Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/4dec74bc41c581b82459;APTnotes 2014 Operation_Poisoned_Hurricane.pdf source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\ReflectivLoader.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\fgexec_RID2983.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x7 = "\\obj\\Release\\botkill.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x6 = "Bot\\Release\\Ism.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\PowerShellRunner.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x5 = "Bot5\\Release\\Ism.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDh source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\instlsp\\Release\\Lancer.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\MiniAsp4\\Release\\MiniAsp.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "\\scout\\Release\\scout.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "\\epathobj_exp\\Release\\epathobj_exp.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = /\\Release\\[a-z]{0,8}katz.pdb/ source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x4 = "BypassUac.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s5 = "%windows%\\mfc42l00.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\obj\\Release\\TempRacer_RID2A94.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\exploit.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s0 = "\\i386\\Hello.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s6 = "\\obj\\Release\\ZPP.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s3 = "uac\\bin\\install_test.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "C:\\Users\\Logintech\\Dropbox\\Projects\\New folder\\Latest\\Benchmark\\Benchmark\\obj\\Release\\Benchmark.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\dnscat2.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "c:\\ntevt.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD5Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDaBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8@ source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\support\\Release\\ab.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s4 = "C:\\v3\\exe\\de_svr_inst.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "\\ms11080\\Debug\\ms11080.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_004062A3 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_004026FE FindFirstFileA,
Source: C:\Users\user\Desktop\vnwareupdate.exeFile opened: C:\Documents and Settings\All Users\
Source: C:\Users\user\Desktop\vnwareupdate.exeFile opened: C:\Documents and Settings\All Users\Application Data\
Source: C:\Users\user\Desktop\vnwareupdate.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\
Source: C:\Users\user\Desktop\vnwareupdate.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\
Source: C:\Users\user\Desktop\vnwareupdate.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\
Source: C:\Users\user\Desktop\vnwareupdate.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\

Networking:

barindex
Found Tor onion addressShow sources
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: WdSAzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-Double dipping: Diverting ransomware Bitcoin payments via .onion domains https://www.proofpoint.com/us/threat-insight/post/double-dipping-diverting-ransoDouble dipping: Diverting ransomware Bitcoin payments via .onion domains https://www.proofpoint.com/us/threat-insight/post/double-dipping-diverting-ranso
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: Double dipping: Diverting ransomware Bitcoin payments via .onion domains https://www.proofpoint.com/us/threat-insight/post/double-dipping-diverting-ransoNew version of mobile malware Catelites possibly linked to Cron cyber gang https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-tH %
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: $s3 = "www.yahoo.com" fullword ascii equals www.yahoo.com (Yahoo)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 008DE622CA9526F5F4A1DD3F16F4EA;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 02B03555A505CFCFC4B5F4F716B2BA88ED4CD8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 038A97B4E2F37F34B255F0643E49FC9D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 04738CA02F59A5CD394998A99FCD9613;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 070D7082A5ABE1112615877214EC82241FD17E5BD465E24D794A470F699AF88E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 07E1740152E09610EA826655D27E8D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 092DE09E2F346B81A84113734964AD10284F142D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 09DB36F71106379832C8CA57BA5BE8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 0A15D1AA85C9D39C4757EFDA861DA014156D31;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 0D2B07DF600285D1D8C49938BC2F79AD3EEF5C77;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 0D7082A5ABE1112615877214EC82241FD17E5BD465E24D794A470F699AF88E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 12499311682E914B703A8669CE05FA4D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 12620D0CBCDFBDB04D01A18BBD497B8A;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 141E78D16456A072C9697454FC6D5F58;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 159B71183A69928BA8F26B76772EC504AEFEAC71021B012BD006162E133731;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 1CAA374B5A53E34E161C59D18CE6FDFF;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 1CC9179A724C41E6712CE3F5AEADFD;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 1CE20B4E7A561F0AC5C6C515975B70A5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 1CE41809508B7F88A24CABA884926C;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 1E78D16456A072C9697454FC6D5F58;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 1FD9AEEACA9631902BCCD6BDD89F74;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 2154A36F32BA10E98020A8AD758A7A;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 243511A51088D57E6DF08D5EF52D5499;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 277256F905D7CB07CDCD096CECC27E76;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 2B07DF600285D1D8C49938BC2F79AD3EEF5C77;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 2C641A9348F1E0CCF9F38EE17F41B2DA;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 2C9095C965A55EFC46E16B86F9B7D6C6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 2DE09E2F346B81A84113734964AD10284F142D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 2F159B71183A69928BA8F26B76772EC504AEFEAC71021B012BD006162E133731;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 31008DE622CA9526F5F4A1DD3F16F4EA;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 34A11F3D68FD6CDEF04B6DF17BBE8F4D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 3511A51088D57E6DF08D5EF52D5499;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 36E477643375030431301ABACCB8287B2EECCE;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 3986FB79BC66807E28F233B52EFA7C315862C8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 39BFE18D912DBCC940D05D692EFEB9;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 3B6C3DF08E99B40148548E96CD1AC872;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 3C432A21CFD05F976AF8C47A007928F7;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 3C58F168E883AF1294BBCEA33B03E6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 3CC0D3A05CD0CEF8294506F37A0B8A00;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 3D36E477643375030431301ABACCB8287B2EECCE;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 40D3D8795559A556A8897EC6E003FC91;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 41E48A6B91750D99A8295C97FD55D5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 432A21CFD05F976AF8C47A007928F7;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 43E71A8C73B5E343AA9D2E19002373;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 451CE41809508B7F88A24CABA884926C;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 4595DBE00A538DF127E0079294C87DA0;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 489F3E5D8BFEB3A75250017191277E2D5D0BAE;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 4909DB36F71106379832C8CA57BA5BE8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 499311682E914B703A8669CE05FA4D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: 4AADF3CA86E9B567E23F9F31782495;Gendwnurl Backdoor https://twitter.com/0x766c6164/status/794176576011309056 / https://www.microsoft equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 4CB67845A88F1A9C22CEAAD46F584B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 4E4E9AAC289F1C55E50227E2DE66463B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 4E9AAC289F1C55E50227E2DE66463B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 509F959F92210D8DD40710BA34548AE960864754;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 514DEE65CAF923E829F1E0094D2585;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 529353E33FD3C0D2802BB558414F11;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 5388520F80C6CA3038445EBB3D6A51F3D90BF717;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 5ACC56C93C5BA1318DD2FA9C3509D60B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 5C2C06DECA8212EB71D2CC7F0D23E9;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 5C5C2C06DECA8212EB71D2CC7F0D23E9;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 5C6A887A91B18289A70BDD29CC86EBDB;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 5D63D4D952E9A0715583F97A2D9EDEB45AE74E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 5DBEF7BDDAF50624E840CCBCE2816594;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 5FCD7588B1D94008975C4627C8FEB6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 619528E52A31D1D348ACB2077E2FC240;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 61C909D2F625223DB2FB858BBDF42A76;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 61E2679CD208E0A421ADC4940662C583;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 620D0CBCDFBDB04D01A18BBD497B8A;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: 637F971A3BCD465BF077921A51F7EC;Gendwnurl Backdoor https://twitter.com/0x766c6164/status/794176576011309056 / https://www.microsoft equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 641A9348F1E0CCF9F38EE17F41B2DA;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 64E917FEBEA4AB178F7D21A7E220FE;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 64F0AC82CCC4A6DEF48D5F9079B7C146126C6464;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 65A1A73253F04354886F375B59550B46;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 65FCC51F70B2213BCE4D39DE56646795FD62D169;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 661CC9179A724C41E6712CE3F5AEADFD;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 6A887A91B18289A70BDD29CC86EBDB;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 6C3C58F168E883AF1294BBCEA33B03E6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 6C3DF08E99B40148548E96CD1AC872;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 722154A36F32BA10E98020A8AD758A7A;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 7256F905D7CB07CDCD096CECC27E76;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 72A28EFB6E32E653B656CA32CCD44B3111145A695F6F6161965DEEBBDC437076;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 738CA02F59A5CD394998A99FCD9613;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 756DD64C1147515BA2298B6A760260;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 765FCD7588B1D94008975C4627C8FEB6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 78256FBF2F061CFDED7FDD58FEDED6765FADE730374C508ADAD89282F67D77;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 78E90308FF107CE38089DFF16A929431;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 791BCEBAEA85E9129E706B22E3BDA43F762E4A;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 793986FB79BC66807E28F233B52EFA7C315862C8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: 79B13F81582E64327CFC02425BD7DC;Trojan.Klonzyrat https://twitter.com/jiriatvirlab/status/822601440317345792 / https://www.symante equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 7AA521E7CAFB360294E56969EDA5D6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 7DBFA8CBB39192FFE2A930FC5258D4C1;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 7EAE5684E4B4BF44E36F2810C86FCD33;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 8341E48A6B91750D99A8295C97FD55D5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 848775BAB0801E5BB15B33FA4FCA573C;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 8775BAB0801E5BB15B33FA4FCA573C;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 88520F80C6CA3038445EBB3D6A51F3D90BF717;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 8943E71A8C73B5E343AA9D2E19002373;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 8A39BFE18D912DBCC940D05D692EFEB9;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 8A97B4E2F37F34B255F0643E49FC9D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 8F64E917FEBEA4AB178F7D21A7E220FE;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 8FF4DC8A2EBFD5EEA11A38877BD4F2DF;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 901FD9AEEACA9631902BCCD6BDD89F74;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 90514DEE65CAF923E829F1E0094D2585;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 905A3508D9309A93AD5C0EC26EBC9B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 9095C965A55EFC46E16B86F9B7D6C6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: 9166A078FB409E1952164028A00B99;Gendwnurl Backdoor https://twitter.com/0x766c6164/status/794176576011309056 / https://www.microsoft equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 943F5E45BEFA52FB12748CA7171D30096E1D4FC3C365561497C618341299D5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 9528E52A31D1D348ACB2077E2FC240;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 95DBE00A538DF127E0079294C87DA0;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 96489F3E5D8BFEB3A75250017191277E2D5D0BAE;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 97290300ABB68FB48480718E6318EE2CDD4F099AA6438010FB2F44803E0B58;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 99AA0D0ECEEFCE4C0856532181B449B1;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 9B97290300ABB68FB48480718E6318EE2CDD4F099AA6438010FB2F44803E0B58;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 9D1F5D79CD906F75C88177C7F6168E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: 9F959F92210D8DD40710BA34548AE960864754;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: A030EA830A12A32E84A012DFB1679B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: A07AA521E7CAFB360294E56969EDA5D6;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: A0B7FBDBDCEF1777657182A504283D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: A11F3D68FD6CDEF04B6DF17BBE8F4D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: A1A73253F04354886F375B59550B46;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: A278256FBF2F061CFDED7FDD58FEDED6765FADE730374C508ADAD89282F67D77;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: A28EFB6E32E653B656CA32CCD44B3111145A695F6F6161965DEEBBDC437076;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: A54CCC770DCCE8FD4929B7C1176470;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: A602B03555A505CFCFC4B5F4F716B2BA88ED4CD8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: A6D36749EEBBBC51B552E5803ED1FD58;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: A8F69EB2CF9F30EA96961C86B4347282;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: A906082DF6383AA8D5DE60F6EF830E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: AA0D0ECEEFCE4C0856532181B449B1;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: AA374B5A53E34E161C59D18CE6FDFF;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: AA905A3508D9309A93AD5C0EC26EBC9B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: ACDB6D5C1D8C3F5E3C29C3605BFFCF18;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: AE5684E4B4BF44E36F2810C86FCD33;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: APT32 and the Threat to Global Corporations https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32 and the Threat to Global Corporations https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32 and the Threat to Global Corporations https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32 and the Threat to Global Corporations https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32 and the Threat to Global Corporations https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32 and the Threat to Global Corporations https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlPowerShell ransomware delivered in MalSpam https://myonlinesecurity.co.uk/new-powershell-ransomware-coming-in-malspam-emailPowerShell ransomware delivered in MalSpam https://myonlinesecurity.co.uk/new-powershell-ransomware-coming-in-malspam-emailPowerShell ransomware delivered in MalSpam https://myonlinesecurity.co.uk/new-powershell-ransomware-coming-in-malspam-emailSandworm to Blacken: The SCADA Connection http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-tSandworm to Blacken: The SCADA Connection http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-t9002 RAT -- a second building on the left http://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-9002 RAT -- a second building on the left http://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-Sandworm to Blacken: The SCADA Connection http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-tXData ransomware attacked users in Ukraine https://twitter.com/martin_u/status/880088927595638784 / https://nioguard.blogspXData ransomware attacked users in Ukraine https://twitter.com/martin_u/status/880088927595638784 / https://nioguard.blogsp equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: B12CCD0A2BFE7D9540E29FAB052698BB300E81326EFD8D85515069179F2FC0;Trojan.Klonzyrat https://twitter.com/jiriatvirlab/status/822601440317345792 / https://www.symante equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: B45D63D4D952E9A0715583F97A2D9EDEB45AE74E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: B6CA04CC59805E2680D77A71D9D7BD2F;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: B72A2802D2A7FF33FD2D4BBCF41188724FCAA8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: BA756DD64C1147515BA2298B6A760260;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: BCF823EEEE02967B49B764E22319C79F;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: BE0A15D1AA85C9D39C4757EFDA861DA014156D31;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: BEF7BDDAF50624E840CCBCE2816594;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: BFA54CCC770DCCE8FD4929B7C1176470;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: BFA8CBB39192FFE2A930FC5258D4C1;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: BankBot Found on Google Play and Targets Ten New UAE Banking Apps http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-BankBot Found on Google Play and Targets Ten New UAE Banking Apps http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-BankBot Found on Google Play and Targets Ten New UAE Banking Apps http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-BankBot Found on Google Play and Targets Ten New UAE Banking Apps http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-BankBot Found on Google Play and Targets Ten New UAE Banking Apps http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-New multi platform malware/adware spreading via Facebook Messenger https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-mNew multi platform malware/adware spreading via Facebook Messenger https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-mNew multi platform malware/adware spreading via Facebook Messenger https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-mLarge Malvertising Campaign Leads to Angler EK & Bunitu Malware http://community.websense.com/blogs/securitylabs/archive/2015/06/10/large-malverLarge Malvertising Campaign Leads to Angler EK & Bunitu Malware http://community.websense.com/blogs/securitylabs/archive/2015/06/10/large-malverLarge Malvertising Campaign Leads to Angler EK & Bunitu Malware http://community.websense.com/blogs/securitylabs/archive/2015/06/10/large-malverChina Hacks the Peace Palace: All Your EEZ\u2019s Are Belong to Us https://www.threatconnect.com/china-hacks-the-peace-palace-all-your-eezs-are-belChina Hacks the Peace Palace: All Your EEZ\u2019s Are Belong to Us https://www.threatconnect.com/china-hacks-the-peace-palace-all-your-eezs-are-bel equals www.facebook.com (Facebook)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: C093A79FAE9B92E69C99BB28F9AE12939E4E1327A371EEAC9207E346ECCDB4;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: C0D3A05CD0CEF8294506F37A0B8A00;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: C1529353E33FD3C0D2802BB558414F11;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: C1A030EA830A12A32E84A012DFB1679B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: C34CB67845A88F1A9C22CEAAD46F584B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: C3DC68E8D734968432C5DD5F6DB444C7;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: C8791BCEBAEA85E9129E706B22E3BDA43F762E4A;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: C909D2F625223DB2FB858BBDF42A76;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: CA04CC59805E2680D77A71D9D7BD2F;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: CC56C93C5BA1318DD2FA9C3509D60B;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: CDA0B7FBDBDCEF1777657182A504283D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: CEFB8A9866A1A09F8ADE2992575F489BCEB735;Trojan.Klonzyrat https://twitter.com/jiriatvirlab/status/822601440317345792 / https://www.symante equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: D36749EEBBBC51B552E5803ED1FD58;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: D3D8795559A556A8897EC6E003FC91;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: D745EA39C8C5B82D5E153D3313096C;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: D7D745EA39C8C5B82D5E153D3313096C;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: DB07E1740152E09610EA826655D27E8D;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: DB6D5C1D8C3F5E3C29C3605BFFCF18;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: DC68E8D734968432C5DD5F6DB444C7;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: DD5F334CFFD250A1E16DAC46165DD6;Gendwnurl Backdoor https://twitter.com/0x766c6164/status/794176576011309056 / https://www.microsoft equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: DDE2A6AC540643E2428976B778C43D39;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: DEF52F017EAAC4843AAB506A39AC2DBF96AEE5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: E20B4E7A561F0AC5C6C515975B70A5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: E2679CD208E0A421ADC4940662C583;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: E29D1F5D79CD906F75C88177C7F6168E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: E2A6AC540643E2428976B778C43D39;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: E90308FF107CE38089DFF16A929431;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: E9A906082DF6383AA8D5DE60F6EF830E;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: E9FC007CC082BE545DBC0C62247ADE;Gendwnurl Backdoor https://twitter.com/0x766c6164/status/794176576011309056 / https://www.microsoft equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: EFDEF52F017EAAC4843AAB506A39AC2DBF96AEE5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: F0AC82CCC4A6DEF48D5F9079B7C146126C6464;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: F2943F5E45BEFA52FB12748CA7171D30096E1D4FC3C365561497C618341299D5;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: F4DC8A2EBFD5EEA11A38877BD4F2DF;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: F69EB2CF9F30EA96961C86B4347282;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: F823EEEE02967B49B764E22319C79F;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: F9B72A2802D2A7FF33FD2D4BBCF41188724FCAA8;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: FCC093A79FAE9B92E69C99BB28F9AE12939E4E1327A371EEAC9207E346ECCDB4;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmpString found in binary or memory: FCC51F70B2213BCE4D39DE56646795FD62D169;Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors https://www.us-cert.gov/ncas/alerts/TA17-293A / https://twitter.com/cyb3rops/sta equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: Karagany.B https://www.symantec.com/security_response/writeup.jsp?docid=2017-073103-3836-99New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234Karagany.B https://www.symantec.com/security_response/writeup.jsp?docid=2017-073103-3836-99New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234Karagany.B https://www.symantec.com/security_response/writeup.jsp?docid=2017-073103-3836-99New SamSam Ransomware samples https://twitter.com/demonslay335/status/876940273212895234Ding! Your RAT has been delivered http://blogs.cisco.com/security/talos/darkkomet-rat-spamMalicious Word document targeting Mac users https://objective-see.com/blog/blog_0x17.htmlFinding Hackingteam code in Russian malware https://objective-see.com/blog/blog_0x18.htmlDing! Your RAT has been delivered http://blogs.cisco.com/security/talos/darkkomet-rat-spamCOOLREAPER https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pDing! Your RAT has been delivered http://blogs.cisco.com/security/talos/darkkomet-rat-spamCOOLREAPER https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pDing! Your RAT has been delivered http://blogs.cisco.com/security/talos/darkkomet-rat-spamCOOLREAPER https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pOcean Lotus Report by Tencent https://s.tencent.com/research/report/471.html (HttpProv.dll)Ocean Lotus Report by Tencent https://s.tencent.com/research/report/471.html (HttpProv.dll) equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: Lazarus Samples https://twitter.com/cyb3rops/status/945588042080899072Lazarus Samples https://twitter.com/cyb3rops/status/945588042080899072Lazarus Samples https://twitter.com/cyb3rops/status/945588042080899072Lazarus Samples https://twitter.com/cyb3rops/status/945588042080899072Lazarus Samples https://twitter.com/cyb3rops/status/945588042080899072Further Gaza Cybergang Activity http://www.freebuf.com/vuls/142970.htmlFurther Gaza Cybergang Activity http://www.freebuf.com/vuls/142970.htmlFurther Gaza Cybergang Activity http://www.freebuf.com/vuls/142970.htmlFurther Gaza Cybergang Activity http://www.freebuf.com/vuls/142970.htmlVENOM Linux rootkit https://security.web.cern.ch/security/venom.shtmllVENOM Linux rootkit https://security.web.cern.ch/security/venom.shtmlFurther Gaza Cybergang Activity http://www.freebuf.com/vuls/142970.htmlPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comEvilBunny (2014) https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv57Pincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comEvilBunny (2014) https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv57Pincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.comAPTnotes 2012 Cyberattack_against_Israeli_and_Palestinian_targets.pdfPincav Malware Hashes https://map.blueliv.com / https://www.blueliv.com equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: Linux/Moose http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pLinux/Moose http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pLinux/Moose http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pLinux/Moose http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pLinux/Moose http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pLinux/Moose http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pMalicious Macros targetting South Korea https://twitter.com/eyalsela/status/900248754091167744Hellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing APT https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsin.p equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: Malware Analysis Report (MAR-10135536-G) \u2013 North Korean Trojan: BADCALL MAR-10135536-G_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publEvasive Malware Campaign Abuses Free Cloud Service, Targets Korean Speakers https://blog.fortinet.com/2017/09/20/evasive-malware-campaign-abuses-free-cloud-Malware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publMalware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publMalware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publMalware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publMalware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publMalware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publMalware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publMalware Analysis Report (MAR-10135536-F) \u2013 North Korean Trojan: HARDRAIN MAR-10135536-F_WHITE_stix.xml / https://www.us-cert.gov/sites/default/files/publDownloaders on Google Play spreading malware to steal Facebook login details https://blog.avast.com/downloaders-on-google-play-spreading-malware-to-steal-facDownloaders on Google Play spreading malware to steal Facebook login details https://blog.avast.com/downloaders-on-google-play-spreading-malware-to-steal-fac6B6E023B4221BAE8ED37BB18407516; APT10 / Cloud Hopper https://goo.gl/CywXnS equals www.facebook.com (Facebook)
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: New Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNaoinstalad Malware Targeting users in Brazil http://www.malware-traffic-analysis.net/2017/06/08/index.htmlNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNaoinstalad Malware Targeting users in Brazil http://www.malware-traffic-analysis.net/2017/06/08/index.htmlBanking Trojan Attempts To Steal Brazillion$ http://blog.talosintelligence.com/2017/09/brazilbanking.htmlNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eya equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: SDarkhotel (2014) https://cdn.securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf / htOperation Double Tap https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.htmlAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT Malware Delivered over Facebook https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware equals www.facebook.com (Facebook)
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: Sowbug: Cyber espionage group targets South American and Southeast Asian governments https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-sout5Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopi1#ISMDoor impersonates ZAHRANI (an electrical equipment and engineering company in Saudi Arabia) and ThetaRay. https://twitter.com/eyalsela/status/92066117900924109328cTurla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopib8Turla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopieTurla APT actor refreshes KopiLuwak JavaScript backdoor for use in G20-themed attack https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiNRecent Watering Hole Attacks Attributed to APT Group th3bug Using Poison Ivy (2014) http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-aRecent Watering Hole Attacks Attributed to APT Group th3bug Using Poison Ivy (2014) http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-udiRecent Watering Hole Attacks Attributed to APT Group th3bug Using Poison Ivy (2014) http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-ioRecent Watering Hole Attacks Attributed to APT Group th3bug Using Poison Ivy (2014) http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-Recent Watering Hole Attacks Attributed to APT Group th3bug Using Poison Ivy (2014) http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-f6Recent Watering Hole Attacks Attributed to APT Group th3bug Using Poison Ivy (2014) http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks- equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: The Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScThe Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScThe Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScBanking Trojan Attempts To Steal Brazillion$ http://blog.talosintelligence.com/2017/09/brazilbanking.htmlThe Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScThe Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScBanking Trojan Attempts To Steal Brazillion$ http://blog.talosintelligence.com/2017/09/brazilbanking.htmlBanking Trojan Attempts To Steal Brazillion$ http://blog.talosintelligence.com/2017/09/brazilbanking.htmlThe Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScThe Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScThe Scarab attack group http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScRATs from the Underground http://researchcenter.paloaltonetworks.com/2017/01/unit42-exploring-cybercrime-uBanking Trojan Attempts To Steal Brazillion$ http://blog.talosintelligence.com/2017/09/brazilbanking.htmlNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyaBanking Trojan Attempts To Steal Brazillion$ http://blog.talosintelligence.com/2017/09/brazilbanking.htmlNew Arid Viper Activity https://twitter.com/eyalsela/status/882497460102365185 / https://twitter.com/eyad312ff06187c93d12dd5f1d0;FannyWorm Equation Group Sample http://goo.gl/f6xNwu equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: The Spring Dragon APT https://securelist.com/blog/research/70726/the-spring-dragon-apt/APT1: technical backstage (2013) https://app.box.com/s/x2jgr4j1bgfas2h2b4h09mam9nn4qwu3Group5: Syria and the Iranian Connection https://citizenlab.org/2016/08/group5-syria/APT29 Domain Fronting With TOR https://www.fireeye.com/blog/threat-research/2017/03/APT29 Domain Fronting With TOR https://www.fireeye.com/blog/threat-research/2017/03/APT29 Domain Fronting With TOR https://www.fireeye.com/blog/threat-research/2017/03/APT29 Domain Fronting With TOR https://www.fireeye.com/blog/threat-research/2017/03//Nebula Exploit Kit http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.htmlNebula Exploit Kit http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.htmlNebula Exploit Kit http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.htmlUrsnif: Deep Technical Dive http://www.seculert.com/blogs/ursnif-deep-technical-diveLazarus Bitcoin Spearphishes https://twitter.com/ClearskySec/status/944926250161844224Group5: Syria and the Iranian Connection https://citizenlab.org/2016/08/group5-syria/Lazarus Bitcoin Spearphishes https://twitter.com/ClearskySec/status/944926250161844224Group5: Syria and the Iranian Connection https://citizenlab.org/2016/08/group5-syria/Group5: Syria and the Iranian Connection https://citizenlab.org/2016/08/group5-syria/Angler Exploit Kit New Variants http://blogs.cisco.com/security/talos/angler-variantsAngler Exploit Kit New Variants http://blogs.cisco.com/security/talos/angler-variantsGroup5: Syria and the Iranian Connection https://citizenlab.org/2016/08/group5-syria/Lazarus Bitcoin Spearphishes https://twitter.com/ClearskySec/status/944926250161844224Angler Exploit Kit New Variants http://blogs.cisco.com/security/talos/angler-variantsAngler Exploit Kit New Variants http://blogs.cisco.com/security/talos/angler-variants equals www.twitter.com (Twitter)
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: HTTP://HI.BAIDU.COM/0X24Q
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: Http://Www.YrYz.Net
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: Http://www.darkst.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://%s/%5.5d.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://%s/content.html?id=%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://%s/device_command.asp?device_id=%s&cv=%s&command=%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://%s/error.html?tab=%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://%s/ja-JP/2015/%d/%d/%d%d%d%d%d%d%d%d.gif
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://%s/logo.png
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://%s/main.php?ssid=%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://%s/provide?clients=%s&reqs=visit.startload
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://%s/record.asp?device_t=%s&key=%s&device_id=%s&cv=%s&result=%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://%s/result_%s.htm
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://%s/webmail.php?id=%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://%s:%d/aspxabcdef.asp?%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://%s:%d/aspxabcdefg.asp?%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://%ws:%d/%d%s%dHTTP/1.1
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://0.0.0.0/1
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://0xicf.wordpress.com/2014/12/18/a-pirated-version-of-the-assassins-creed-a
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://124.133.254.171/up/up.asp?id=%08x&pcname=%s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1/1.exe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1/6kbbs/bank.asp
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1/cookie.asp?fuck=
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1/error1.asp
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1/phptunnel.php
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1/sql.asp?id=1
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:%d/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:%u/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:8000/$_name
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://192.168.16.186/details.php?id=1
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://192.169.200.200:2217/mysql_inject.php?id=1
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://2016.eicar.org/85-0-Download.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://202.113.20.235/gj/images/2.asp
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://210.73.64.88/doorway/cgi-bin/getclientip.asp?IP=
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://24hack.com/xyadmin.asp
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://Www.cnhuker.com
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: http://amtrckr.info/json/live
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://amtrckr.info/json/liveeFull
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: http://asec.ahnlab.com/1015
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://babelfish.yahoo.com/translate_url?
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: http://baesystemsai.blogspot.co.uk/2017/10/taiwan-heist-lazarus-tools.html
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://baesystemsai.blogspot.co.uk/2017/10/taiwan-heist-lazarus-tools.htmlFake
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://baesystemsai.blogspot.co.uk/2017/10/taiwan-heist-lazarus-tools.htmlTaiwan
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://bbs.yesmybi.net
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://benkowlab.blogspot.com/2017/08/a-third-look-in-jsdropperursnif.html?m=1/.
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://benkowlab.blogspot.com/2017/08/a-third-look-in-jsdropperursnif.html?m=1/A
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://benkowlab.blogspot.com/2017/08/a-third-look-in-jsdropperursnif.html?m=1/The
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://benkowlab.blogspot.com/2017/08/a-third-look-in-jsdropperursnif.html?m=1acA
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://benkowlab.blogspot.com/2017/08/a-third-look-in-jsdropperursnif.html?m=1tesDemocracy
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://bit.ly/1BFEujv
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://blacksecurity.org
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: http://blog.0day.jp/2015/06/linuxmayhem.html
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://blog.0day.jp/2015/06/linuxmayhem.htmlBlue
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmpString found in binary or memory: http://blog.0day.jp/p/english-report-of-fhappi-freehosting.html?m=1
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploi
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploiFiesta
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploiTeaching
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.0x3a.com/post/120423677154/unusual-njrat-campaign-originating-from-s
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.0x3a.com/post/120423677154/unusual-njrat-campaign-originating-from-sDiscovering
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.0x3a.com/post/120423677154/unusual-njrat-campaign-originating-from-sUnusual
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://blog.0x3a.com/post/127019416444/development-of-the-cryptoapp-ransomware
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: http://blog.0x3a.com/post/134260124544/inside-braviaxfakerean-an-analysis-and-hi
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.0x3a.com/post/64094318510/analysis-of-the-internet-security-fake-ant
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.0x3a.com/post/64094318510/analysis-of-the-internet-security-fake-antAnalysis
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://blog.alyac.co.kr/1448
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.alyac.co.kr/1448CRCoinManager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.alyac.co.kr/1448f
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: http://blog.alyac.co.kr/1519
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.alyac.co.kr/1519GlobeImposter
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://blog.alyac.co.kr/1519New
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: http://blog.alyac.co.kr/1519Operation
Source: vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: http://blog.alyac.co.kr/1521
Source: vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmpString found in binary or memory: http://blog.alyac.co.kr/1527
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://blog.alyac.co.kr/1527Continued
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://blog.alyac.co.kr/1527Group5:
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/Defaulting
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://blog.cari.net/carisirt-defaulting-on-passwords-part-1-r0_bot/Hancitor
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkp
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/2017/01/23/hummingbad-returns/
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/2017/01/23/hummingbad-returns/.
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/2017/01/23/hummingbad-returns/A
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/2017/01/23/hummingbad-returns/Futurax
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/2017/03/21/swearing-trojan-continues-rage-even-author
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/2017/04/27/osx-malware-catching-waYi
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traf
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-trafOSX/Dok
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-trafShortJSRat
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/Spear
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intellige
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intellige8
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligeDigging
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf/Rocket
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdfARocket
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdfAttacks
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdfEvasive
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdfRocket
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdfnRocket
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdftRocket
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: http://blog.crowdstrike.com/ironman-deep-panda-uses-sakula-malware-target-organi
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: http://blog.crowdstrike.com/sakula-reloaded/
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://blog.crowdstrike.com/sakula-reloaded/Sakula
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: http://blog.crowdstrike.com/sakula-reloaded/Scanbox
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://blog.crowdstrike.com/sakula-reloaded/Tofsee
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: http://blog.cylance.com/puttering-into-the-future
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://blog.cylance.com/spear-a-threat-actor-resurfaces
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://blog.cylance.com/spear-a-threat-actor-resurfacesSPEAR:
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://blog.cylance.com/spear-a-threat-actor-resurfacesThe
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.ht
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.htHong
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://blog.dragonthreatlabs.com/2015/01/dtl-12012015-01-hong-kong-swc-attack.htXSLCmd
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: http://blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.h
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.hAPT
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.hSpearphising
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.dynamoo.com/2015/05/malware-spam-attn-outstanding-invoices.html
Source: vnwareupdate.exe, 00000003.00000003.244930410.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.dynamoo.com/2015/07/malware-spam-hmrc-taxes-application.html
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.dynamoo.com/2015/07/malware-spam-hmrc-taxes-application.htmlGamarue
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companie
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companieBackdoor
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: http://blog.foregenix.com/malware-alert-new-pos-malware-tinypos
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://blog.fortinet.com/post/badmirror-new-android-malware-family-spotted-by-sh
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: http://blog.fortinet.com/post/badmirror-new-android-malware-family-spotted-by-shAttacks
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.fortinet.com/post/locker-an-android-ransomware-full-of-surprises
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unk
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unkRATs
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.fortinet.com/post/the-curious-case-of-the-document-exploiting-an-unkSpam
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://blog.fortinet.com/post/what-s-cooking-dridex-s-new-and-undiscovered-recip
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://blog.fortinet.com/post/what-s-cooking-dridex-s-new-and-undiscovered-recipDridex
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://blog.fortinet.com/post/what-s-cooking-dridex-s-new-and-undiscovered-recipNew
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://blog.gentilkiwi.com/mimikatz
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.jpcert.or.jp/.s/2015/05/a-new-uac-bypass-method-that-dridex-uses.htm
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmpString found in binary or memory: http://blog.jpcert.or.jp/2015/07/poisonivy-adapts-to-communicate-through-authent
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-filesAsruex:
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-filesDiamondFox
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-filesEmissary
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.htmlDetecting
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.htmlDown
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://blog.knownsec.com/wp-content/uploads/2016/01/Malicious-Code-Analysis-on-U
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://blog.macnica.net/blog/2017/08/post-fb81.html
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://blog.malwarebytes.org/exploits-2/2015/03/jamieoliver-com-still-compromise
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://blog.malwarebytes.org/exploits-2/2015/03/jamieoliver-com-still-compromiseNew
Source: vnwareupdate.exe, 00000003.00000003.244930410.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: http://blog.malwarebytes.org/fraud-scam/2015/03/new-facebook-worm-variant-levera
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerabil
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/a-new-threat-an-iot-botnet-scanning-internet-on-port-
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/4DDG:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/9DDG:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/DDG:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/ECHTHONIC
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/HARE_DENY_WRITEt
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/IDDG:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/dDDG:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/fDDG:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/lDDG:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/ource:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/tDDG:
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl0A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl1A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl2A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl4A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl7A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl8
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl8A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickl9A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quicklA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quicklIA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quicklUA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quicklaA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quicklcA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickldA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickldiA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickleA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quicklfA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickliA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickliCompromised
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-b
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-bThe
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: http://blog.nsfocus.net/blackmoon-bank-trojan-sample-technical-analysis-report/
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://blog.ropchain.com/2015/08/16/analysis-of-exploit-targeting-office-2007-20
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.ropchain.com/2015/08/16/analysis-of-exploit-targeting-office-2007-20Dyreza
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://blog.rvrsh3ll.net
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.shadowserver.org/2015/08/10/the-italian-connection-an-analysis-of-exYiSpecter:
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://blog.sucuri.net/2015/04/website-malware-the-swf-iframe-injector-evolves.h
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.sucuri.net/2015/04/website-malware-the-swf-iframe-injector-evolves.hFrom
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.sucuri.net/2015/04/website-malware-the-swf-iframe-injector-evolves.hSWF
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.sucuri.net/2015/04/website-malware-the-swf-iframe-injector-evolves.hiSWF
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintel.com/2015/12/cryptowall-4.html
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintel.com/2016/03/samsam-ransomware.html
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintel.com/2016/04/nuclear-exposed.html
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintel.com/2016/09/tofsee-spam.html#more
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintel.com/2016/09/tofsee-spam.html#moreAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintel.com/2016/09/tofsee-spam.html#moreBronze
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintel.com/2016/09/tofsee-spam.html#moreEternalRocks
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintel.com/2016/09/tofsee-spam.html#moreProject
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintel.com/2016/09/tofsee-spam.html#moreTofsee
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintel.com/2016/12/flokibot-collab.htmlRecent
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintel.com/2016/12/flokibot-collab.htmlWin32/Spy.Obator
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintel.com/2017/01/locky-struggles.html
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintel.com/2017/01/locky-struggles.htmlWithout
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintel.com/2017/02/pony-pub-files.html?m=1
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/02/korean-maldoc.html
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/02/korean-maldoc.htmlCloud
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/02/korean-maldoc.htmlKorean
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/03/dnsmessenger.html
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/03/dnsmessenger.html7Covert
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/03/dnsmessenger.htmlCovert
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/03/dnsmessenger.htmlLatest
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/03/dnsmessenger.htmlaCovert
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.ht
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/07/the-medoc-connection.htmlParanoid
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/07/the-medoc-connection.htmlThe
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.htmlBronze
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.htmlMalicious
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/09/brazilbanking.html
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/09/brazilbanking.html25d0b1ccb0b157ceff4e883e;FannyWorm
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/09/brazilbanking.htmlBanking
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/09/brazilbanking.htmlGlobe
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/09/brazilbanking.htmlNew
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/09/brazilbanking.htmlThe
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238209992.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/09/fin7-stealer.html
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.htmlChessMasters
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.htmlCyber
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.htmlOSX/Proton
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.htmloCyber
Source: vnwareupdate.exe, 00000003.00000003.245855228.00000000039E7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html.
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.htmlCharming
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.htmlNew
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.htmlOperation
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.htmlROKRAT
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.htmlPoisoning
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.htmlThere
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.htmlKorea
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.htmlOperation
Source: vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html
Source: vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2018/02/olympic-destroyer.htmlBronze
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2018/02/olympic-destroyer.htmlOlympic
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2018/02/olympic-destroyer.htmlTrojan.DarkLoader
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html3Targeted
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.htmlRuby
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.htmlTargeted
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendm
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/?p=73194
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-h
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-hLuaBot:
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-lands
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-gains-foothold
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-gains-footholdAttack
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-gains-footholdDyre
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-gains-footholdpj
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-gains-footholdwww.secureworks.com/
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-of-the-90s-kid
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-of-the-90s-kidAnalysis
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/attack-of-the-90s-kidChinese
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-BankBot
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/bankbot-found-google-New
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-BANKER
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/banker-trojan-sports-Industroyer
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/banking-trojans-as-a-
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/bebloh-expands-japan-BEBLOH
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/bebloh-expands-japan-Jaff
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/bebloh-expands-japan-mise.pdf
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/blackgear-espionage-c
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-stra
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-stracCyber
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wa
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-0199-new-mal
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-0199-new-malCVE-2017-0199:
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/dridex-spam-runs-resu
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-.P
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-Erebus
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-TREASUREHUNT:
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/fake-apps-take-advant
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-tiUrsnif
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/02/fighter
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black.jFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black//Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black/u8WAVh
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black00Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black12Following
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black18Campaign
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black19Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black1cFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black20Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black2DFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black2bFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black38Following
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black3AFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black3WFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black42Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black43Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black45Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black55Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black6eFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black70Following
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black76Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black80Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black87Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black94Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black97Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black99Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-black9dFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackAVFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackBzFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackC6Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackD1Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackD5Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackE
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackFollowing
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackPTFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackSeFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackWGNYE
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacka.pdf
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacka2Following
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacka7Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackaPFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackasFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackbfFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackc
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackc5Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackceFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackd2Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackd5Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackddFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackdfFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacke
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacke-Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackf1Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackf6Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackfbFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackg
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackg-Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackgoFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackhrFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackjFFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackkeFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacklsFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackmpFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackp:Following
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackraFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackt
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackteFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackttFollowing
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackwaFollowing
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-at
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-atCompromised
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-flash-atStrider:
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/hddcryptor-updates-st
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-tar
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-tarBotnet
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-tarDCSO
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-tarKIVARS
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/latest-flash-exploit-
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/latest-flash-exploit-7Latest
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/latest-flash-exploit-Latest
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/latest-flash-exploit-ppendixes.pdf8
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-upd
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-comple
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/lurk-retracing-five-y
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/lurk-retracing-five-y8
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/lurk-retracing-five-yLurk:
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/lurk-retracing-five-yTerracotta
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kitenPlugX
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-posConnecting
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-posMajikPOS
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-fareit-strain-del
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-ghost-push-varian
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-retadup-variants-
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-retadup-variants-BlackOasis
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-retadup-variants-Industroyer
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-retadup-variants-New
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-targeted-attack-g
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/new-wannacry-mimickin
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-NewPosThings
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas.
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlasPoS
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlasRecent
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/operation-c-major-act
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-s
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-iosMicrosoft
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-iosPawn
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/plugx-new-tool-for-a-
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreo
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreoEPS
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreoPok
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/pornographic-themed-m
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-at
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-at#)RawPOS
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-at2
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-atF
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-atRawPOS
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-atV
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-atX
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-atm
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-ats
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-checking-in-atx
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze--1009---njrat-uncove
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-.Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-07Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-20Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-46Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-4aDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-54Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-5aDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-74Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-8bDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-9-Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-98Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-98bDaserf
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-Daserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-PTDaserf
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-Turla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-_oDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-coDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-daDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-diDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-ment_crew_indicators
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-njDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-reThe
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-roDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-teDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-toDaserf
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-t
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-t9002
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-tMagic
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-tSandworm
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-tXData
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/signed-pos-malware-us
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/signed-pos-malware-usAttacks
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/signed-pos-malware-usSigned
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-Locker:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-SYSCON
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/the-significance-of-t
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/third-party-app-store
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/threat-actors-behind-
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/threat-actors-behind-BIFROSE
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/threat-actors-behind-Sandworm
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discoversKorplug
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discoversMalumPoS:
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/two-games-released-in
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-a
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/updated-sundown-exploUpdated
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/us-healthcare-organiz
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/us-healthcare-organizksUS
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://blog.trendmicro.com/trendlabs-security-intelligence/us-healthcare-organizulMultiple
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/angler-update
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/angler-updateAngler
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/angler-updateSSH
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/angler-variants
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/angler-variantsAngler
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/angler-variantsGroup5:
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/darkkomet-rat-spam
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/darkkomet-rat-spamCOOLREAPER
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/darkkomet-rat-spamDing
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/darkkomet-rat-spamKaragany.B
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/darkkomet-rat-spamMalicious
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/fareit-analysis
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/malicious-pngs
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/malicious-pngs1fc6034b3ec99a01e3b2cde22846772656481d7374209ca0
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/malicious-pngs4124a533037373a922b01421caca3821af36099d98b7d6aa
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/malicious-pngs6b44c772bac7cc958b1b4535f02a584fc3a55377a3e7f4cc
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/malicious-pngsb4cb0490afa7da6647dc7f255a6c4c742b649fe4ff853b83
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/poseidon
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/poseidon4D938F4A5B3BAFB84CBD447FC3DCCACB;Destover
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/poseidonInfected
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/poseidonPoseidon
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/resume-spam-cryptowall
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/spam-dridex
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/sysadmin-phish
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/teslacrypt
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/talos/wiper-malware
Source: vnwareupdate.exe, 00000003.00000003.238209992.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/trojanized-putty-software
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/trojanized-putty-softwareLazarus
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/security/trojanized-putty-softwareTrojanized
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/wp-co
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/wp-coAdventures
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://blogs.cisco.com/wp-coSpam
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://botzone1.blogspot.com/2015/03/blue-ddos-botnet-stub-source-panel.html
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://botzone1.blogspot.com/2015/03/blue-ddos-botnet-stub-source-panel.htmlBlue
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://botzone1.blogspot.com/2015/03/blue-ddos-botnet-stub-source-panel.htmlLinux/Moose
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: http://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-9002
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-Sandworm
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: http://community.websense.com/blogs/securitylabs/archive/2015/06/10/large-malver
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://community.websense.com/blogs/securitylabs/archive/2015/06/10/large-malverChina
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://community.websense.com/blogs/securitylabs/archive/2015/06/10/large-malverLarge
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://community.websense.com/blogs/securitylabs/archive/2015/10/12/japanese-ban
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://community.websense.com/blogs/securitylabs/archive/2015/10/12/japanese-banBanking
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://community.websense.com/blogs/securitylabs/archive/2015/10/12/japanese-banJapanese
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://community.websense.com/blogs/securitylabs/archive/2015/10/12/japanese-banYiSpecter:
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://contagiodump.blogspot.co.uk/2017/02/russian-apt-apt28-collection-of-sampl
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://contagiodump.blogspot.co.uk/2017/02/russian-apt-apt28-collection-of-samplAPT28
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://contagiodump.blogspot.co.uk/2017/02/russian-apt-apt28-collection-of-samplDeciphering
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://contagiodump.blogspot.co.uk/2017/02/russian-apt-apt28-collection-of-samplEmissary
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://contagiodump.blogspot.co.uk/2017/02/russian-apt-apt28-collection-of-samplRussian
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.(2010)
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.India
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.s
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://contagiodump.blogspot.de/2015/08/potao-express-samples.html
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://contagiodump.blogspot.de/2015/08/potao-express-samples.html8
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://csirt.ninja/?p=1103
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_an
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_anSystematic
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_anmiSystematic
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_anminiduke_indicators_
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_anorSystematic
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://cyber-peace.org/wp-content/uploads/2014/01/Cyberattack_against_Israeli_antorSystematic
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://cyber.verint.com/nymaim-malware-variant/aAPT28
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf.pOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf.pdf
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf01Operation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfCyOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfKorea
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfNew
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfOpOperation
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfTnOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfatOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfeaOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfesOperation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdflOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfn_Operation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfncOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfpoOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfr_Operation
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://d12zpbetgs1pco.cloudfront.net/Weatherapi/shell
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://d99net.3322.org
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://darkeyev3.blogspot.fi/
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: http://documents.trendmicro.com/assets/Appendix%20-%20The%20Rise%20and%20Fall%20
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pd
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdPrivileges
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://dokumente.linksfraktion.de/inhalt/report-orig.pdf
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: http://download.ahnlab.com/kr/site/library/%5bAnalysis%5dDefense_Industry_Threat
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://feedproxy.google.com/~r/GDataSecurityBlog/~3/z08Ffq28vyg/babar-espionage-
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://feedproxy.google.com/~r/GDataSecurityBlog/~3/z08Ffq28vyg/babar-espionage-Babar
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://feedproxy.google.com/~r/GDataSecurityBlog/~3/z08Ffq28vyg/babar-espionage-Malicious
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://feedproxy.google.com/~r/PaloAltoNetworks/~3/xuID4xdAMX4/
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://feedproxy.google.com/~r/PaloAltoNetworks/~3/xuID4xdAMX4/8
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://feedproxy.google.com/~r/PaloAltoNetworks/~3/xuID4xdAMX4/Filmkan
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://feedproxy.google.com/~r/PaloAltoNetworks/~3/xuID4xdAMX4/Turla
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://feedproxy.google.com/~r/zscaler/research/~3/KveAeHbavcs/ongoing-angler-ex
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://feedproxy.google.com/~r/zscaler/research/~3/KveAeHbavcs/ongoing-angler-exSatellite
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://feedproxy.google.com/~r/zscaler/research/~3/KveAeHbavcs/ongoing-angler-exSpyDealer:
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/Nxcmd081znk/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://ftp.powernet.com.tr/supermail/debug/k3
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: http://garwarner.blogspot.com/2016/08/amazon-gift-card-from-kelihos.html
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://garwarner.blogspot.com/2016/08/amazon-gift-card-from-kelihos.htmlAmazon
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://garwarner.blogspot.com/2016/08/amazon-gift-card-from-kelihos.htmlStuxnet
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://getalfa.rf.gd/?i=1
Source: vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmpString found in binary or memory: http://go.cybereason.com/rs/996-
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/0Nhax2
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/5VYtlU
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/9Tlk90
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/MJ0c2M
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/SGcS2HSymantec
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/TWGNYE
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/V0epcf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/WiwtYT
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/ZjJy
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/ZjJyti
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/b3pVyL476bf24a4b1e9f4bc2a61b152115e1feDerusbi
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/b3pVyL4c0b2e9d2ef909d15270d4dd7fa5a4a5Derusbi
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/b3pVyL4f4bf27b738ff8f2a89d1bc487b054a8a7bd555866ae1c161f78630a638850e775d3d1f23628122a
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/b3pVyL7bd55818c5971b63dc45cf57cbeb950bDerusbi
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/bGzjmB
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/bTtpGDMalware
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/bTtpGDTROJ_WERDLOD:
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/d5ujEHKraken
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/f6xNwu
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/f6xNwu8
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/f6xNwue
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/h0dJTr
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/h0dJTr$0i
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/h0dJTr8
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/h0dJTrBackspace
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/h0dJTrFireeye:
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/h0dJTrTargeted
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/igxLyF
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/ivt8EW
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/jcS0lOAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/kAHB9t
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/m2CXWR
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/psjCCc
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://goo.gl/u8WAVh
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://google.com/search
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/Chaos:
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/Ransom.ShurL0ckr
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Adventures-in-PoSeidon-ge
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Adventures-in-PoSeidon-geAdventures
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Adventures-in-PoSeidon-geUncovering
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://hi.baidu.com/ca3tie1/home
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://hi.baidu.com/xahacker/fuck.txt
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: http://ht.ly/Wg3GY
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://ht.ly/Wg3GYScanline
Source: vnwareupdate.exe, 00000003.00000003.237233008.00000000036C1000.00000004.00000001.sdmpString found in binary or memory: http://ht.ly/Wg3GYp
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: http://id-ransomware.blogspot.co.uk/2016/10/ishtar-ransomware.html
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://id-ransomware.blogspot.co.uk/2016/12/braincrypt-ransomware.html
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: http://id-ransomware.blogspot.co.uk/2017/06/shifr-raas-ransomware.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://iframe.ip138.com/ic.asp
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: http://info.ai.baesystems.com/rs/308-OXI-896/images/The_Return_of_Qbot_WP_V2%20M
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://itsjack.cc/blog/2015/02/krakenhttp-not-sinking-my-ship-part-1/
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://johannesbader.ch/2015/01/the-dga-of-symmi/
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://johannesbader.ch/2015/01/the-dga-of-symmi/Symmi
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://l-y.vicp.net
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://laudanum.inguardians.com/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://laudanum.secureideas.net
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: http://liuya0904.blogspot.co.uk/2016/04/new-elknotbillgates-variant-with-xor.htm
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://localhost/1.asp?id=16
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://localhost/index.asp?id=2
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://localhost/index.asp?id=zhr
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://localhost/retomysql/pista.aspx?id_pista=1
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/07/23/index.html9EITest
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/07/23/index.htmlCryxos.B
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/07/29/index.htmlBlank
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/07/29/index.htmlsBlank
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/07/29/index.htmlture
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/08/01/index.html
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/08/01/index.htmlKaragany.B
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index3.html
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index3.htmlGlobeImposter
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index3.htmlTomcat
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index3.htmlVawtrak
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index4.html
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index4.htmlAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index4.htmlDridex
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index4.htmlGryphon
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/08/02/index4.htmlxCaon
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/08/03/index.htmlIntroducing
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://malware-traffic-analysis.net/2017/08/03/index.htmlx
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html?m=1
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.htmlNebula
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.htmlRegin
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.htmlUrsnif:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://marcoramilli.blogspot.co.uk/2017/06/false-flag-attack-on-multi-stage.html.
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://marcoramilli.blogspot.co.uk/2017/06/false-flag-attack-on-multi-stage.htmlFalse
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://md5.com.cn/index.php/md5reverse/index/md/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://microsoftcompanywork.htm
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-mor
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morBernhardPOS
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morMultiple
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: http://mymalwareparty.blogspot.co.uk/2018/01/word-add-in-persistence-found-in-wi
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://mymalwareparty.blogspot.co.uk/2018/01/word-add-in-persistence-found-in-wi9Word
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://mymalwareparty.blogspot.co.uk/2018/01/word-add-in-persistence-found-in-wiCobalt
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://mymalwareparty.blogspot.co.uk/2018/01/word-add-in-persistence-found-in-wiOkiru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://mymalwareparty.blogspot.co.uk/2018/01/word-add-in-persistence-found-in-wiWord
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-exce
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://netimo.net
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: http://news.asiaone.com/news
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: http://news.drweb.com/show/?i=11115&c=5&lng=en&p=0
Source: vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://news.drweb.com/show/?i=11115&ampAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://news.drweb.com/show/?i=11115&ampLinux.DDoS.93
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: http://news.drweb.com/show/?i=9548&lng=en&c=5
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://news.drweb.com/show/?i=9548&lng=en&c=5Duqu
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://news.drweb.com/show/?i=9548&lng=en&c=5Lazarus
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: http://news.drweb.com/show/?i=9548&lng=en&c=5New
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://news.drweb.com/show/?i=9548&lng=en&c=5Operation
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://news.drweb.com/show/?i=9548&lng=en&c=5Trojanized
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: http://news.drweb.com/show/?i=9754&lng=en&c=14
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-theAlphaLocker
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://news.softpedia.com/news/meet-orcus-latest-addition-to-the-rat-market-5060
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: http://news.softpedia.com/news/new-malware-uses
Source: GZe6EcSTpO.exe, GZe6EcSTpO.exe, 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: GZe6EcSTpO.exe, 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://ntsecurity.nu/toolbox/clearlogs/
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://oalabs.openanalysis.net/2016/09/18/the-case-of-getlook23-using-github-iss
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://pages.arbornetworks.com/rs/082-KNA-087/images/ASERT%20Threat%20Intelligen
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/Palebot_Pales
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/Palebot_PalesOperation
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20a
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20a8
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20aHangover
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20actHangover
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20ailHangover
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20ailPitty
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20araHangover
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20areHangover
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20aybHangover
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/FTA%201001%20
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/FTA%201001%20Illuminating
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/FTA%201001%20New
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/FTA%201001%20Updated
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/ThreatConnect
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/it1xSB7V
Source: vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/it1xSB7VAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/it1xSB7VLinux.DDoS.93
Source: vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/it1xSB7VSpy
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/it1xSB7VfAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/it1xSB7VfSpy
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/S8ApwFFz
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/S8ApwFFzGathering
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://pastebin.com/raw/S8ApwFFziAkdoor
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://phishme.c
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://phishme.cMacro
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://phishme.cWonknu:
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://phishme.com/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://phishme.com/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-.
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://phishme.com/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-Attack
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://phishme.com/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-Bolek:
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://phishme.com/disrupting-an-adware-serving-skype-botnet/
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://phishme.com/disrupting-an-adware-serving-skype-botnet/Disrupting
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://phishme.com/disrupting-an-adware-serving-skype-botnet/Pushdo
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://phishme.com/fluxerbot-nginx-powered-proxy-malware/
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://phishme.com/macro-documents-with-xor-encoded-payloads/
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: http://phishme.com/rockloader-new-upatre-like-downloader-pushed-dridex-downloads
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.ht
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.htNewPosThings
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.htOrcaRAT
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-BAIJIU:
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-Holiday
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2014/12/festive-spearphishing-merry-The
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2015/06/neutrino-exploit-kit-deliver
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.htmlFMore
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.htmleaMore
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.htmlrPlugX
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.htmltMore
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.htmlwMore
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/cyber_security_updates/2016/05/exploring-cve-2015-2545-and-
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/files/cto-tib-20150223-01a.pdf
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/files/cto-tib-20150223-01a.pdfAPT30
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/files/cto-tib-20150223-01a.pdfSakula
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: http://pwc.blogs.com/files/cto-tib-20150223-01a.pdfScanbox
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2014/12/compromised-wordpress-sites-serving.html?utm
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2014/12/compromised-wordpress-sites-serving.html?utmCompromised
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2014/12/compromised-wordpress-sites-serving.html?utmOilRig
Source: vnwareupdate.exe, 00000003.00000003.244930410.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2015/06/gamarue-dropping-lethic-bot.html?utm_source=
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2015/06/gamarue-dropping-lethic-bot.html?utm_source=Malware
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2015/12/new-spy-banker-trojan-telax-abusing.html
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.html
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.html.pThere
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlPost-Soviet
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlTThere
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlThere
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlaThere
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlack
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlgThere
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmluThere
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.co
Source: vnwareupdate.exe, 00000003.00000003.242241721.0000000003CA7000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-googl
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-googlAttacks
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-googlBadMirror:
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-googlDCSO
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-googlWild
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-Recent
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-aRecent
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-f6Recent
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-ioRecent
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-udiRecent
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-e
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-e8
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-eCmstar
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-eThe
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/05/plugx-uses-legitimate-samsung
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/05/plugx-uses-legitimate-samsungMagnitude
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/05/plugx-uses-legitimate-samsungPlugX
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-fam
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-gove
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-goveChina-based
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-CozyCar
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/tracking-minidionis-cozycars-Tracking
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-se
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seFlokibot
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seRecent
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seUnit
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-4ae4;APT10
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-Syrian
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-UPS:
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-WannaCry
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aeros
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aeros8
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aerosCompromised
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aerosWatering
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/banking-trojan-escelar-infect
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-8
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-KeyRaider:
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targetsOperation
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targetsRetefe
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-A
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-RTF
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-Unusual
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-cam
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/09/musical-chairs-multi-year-camMusical
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modi
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/chinese-taomike-monetization-
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/chinese-taomike-monetization-Android
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/chinese-taomike-monetization-Chinese
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-a
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aBanking
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aDragonOK
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aJapanese
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aNetTraveler
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aOperation
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aYiSpecter:
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-mo
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/11/cryptowall-v4-emerges-days-af
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/11/tdrop2-attacks-suggest-dark-s
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-lin
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linAttack
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linAttacks
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russ
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russAPT3
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russBBSRAT
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russEl
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russPowerSniff
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russThe
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/ios-trojan-tinyv-attacks-jail
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2015/12/proxyback-malware-turns-user-
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/nettraveler-spear-phishing-em
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/nettraveler-spear-phishing-emNetTraveler
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/nettraveler-spear-phishing-emYiSpecter:
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-Anchor
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-Deep
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-New
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-Operation
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-The
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espi
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-li
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-didAsruex:
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-didEmissary
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-didSphinx
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/locky-new-ransomware-mimics-d
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phish
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishAndroid
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishWidespread
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client
Source: vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/banload-malware-affecting-bra
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/evolution-of-samsa-malware-su
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/locky-ransomware-installed-th
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/locky-ransomware-installed-thLocky
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/locky-ransomware-installed-thMalware
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-ma
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-maBBSRAT
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-maIlluminating
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-acto
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/04/unit42-ransomware-locky-tesla
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-o
Source: vnwareupdate.exe, 00000003.00000003.233614213.0000000005D73000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets
Source: vnwareupdate.exe, 00000003.00000003.233536403.0000000005CF3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-a
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/06/unit42-tracking-elirks-varian
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/06/unit42-tracking-elirks-varianTracking
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/07/unit42-andromeda-botnet-targe
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-rans
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/07/unit42-spynote-android-trojan
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/07/unit42-spynote-android-trojan(APT-C-23)
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/07/unit42-spynote-android-trojanKaseya
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/08/unit42-fresh-baked-homekit-ma
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unus
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusOrcus
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusPackrat:
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-t
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-tSigned
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-tSofacys
Source: vnwareupdate.exe, 00000003.00000003.236780975.00000000062F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233493320.0000000006353000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/10/unit42-psa-conference-invite-Operation
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-distt
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat
Source: vnwareupdate.exe, 00000003.00000003.236780975.00000000062F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-tools
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolsDCSO
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolsDragonOK
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolsOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolsYiSpecter:
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-exploring-cybercrime-u
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-exploring-cybercrime-uBanking
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-From
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-KONNI
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/01/unit42-second-wave-shamoon-2-Second
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-a
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-aInvestigation
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-aMagic
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-aSandworm
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-stegbaus-because-somet
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xage
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xage.
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xageFlokibot
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-si
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-siContinued
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/03/unit42-google-play-apps-infec
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-d
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequelThe
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequelWannaCry
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/?p=17203
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/?p=17203Aveo
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: http://researchcenter.paloaltonetworks.com/?p=17203Crimeware-as-a-Service
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://reversingminds-blog.logdown.com/posts/2125985-dridex-atombombing-in-detaiDown
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://sec4app.com
Source: vnwareupdate.exe, 00000003.00000003.244930410.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: http://seclists.org/fulldisclosure/2015/Jan/131
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://securelist.com/blog/68978/whos-really-spreading-through-the-bright-star/
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://securelist.com/blog/68978/whos-really-spreading-through-the-bright-star/Potential
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://securelist.com/blog/research/68083/cloud-atlas-redoctober-a
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://securelist.com/blog/research/68083/cloud-atlas-redoctober-aCloud
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://securelist.com/blog/research/68083/cloud-atlas-redoctober-aSyrian
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://securelist.com/files/2015/02/Carbanak_APT_eng.pdf
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://securelist.com/files/2015/02/Carbanak_APT_eng.pdf0b7613e0f739eb63fd5ed9e99934d54a38e56c558ab8
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://securelist.com/files/2015/02/Carbanak_APT_eng.pdfCarbanak
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://securityblog.s21sec.com/2015/03/new-banker-slave-hitting-polish-banks.htm
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: http://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-fo
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-foNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-foOperation
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-foaNew
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://securitykitten.github.io/lusypos-and-tor/
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://securitykitten.github.io/lusypos-and-tor/EWRaspberry
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://securityxploded.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://securityxploded.com/browser-password-dump.php
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmpString found in binary or memory: http://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mecha
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechaBedep
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechaRawPOS
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://seo.chinaz.com/?host=
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://services.fiveemotions.co.jp
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://snip.ly/giNB
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://snip.ly/giNB8
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://stnmt.bacninh.gov.vn/documents/57412/11672469/420-STTTT.pdf
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: http://surveillance-security-camera.blogspot.co.uk/2017/01/analysis-of-new-shamo
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://t.co/EG0qtVcKLh
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05#
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05#KTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05#qTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05$
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05$TTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05%
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05(
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05)
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05.
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05/
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-050
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-052
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-052/Trojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-052CTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-053
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-055
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-056
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-057
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-058?Trojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-059
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-059JTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05=RTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05ARTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05D
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05E
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05G
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05I3Trojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05K
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05M
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05N
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05O
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05P
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05Q
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05R
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05S
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05T
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05Trojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05U
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05W
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05X
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05Y
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05Z
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05_
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05a
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05b
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05c
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05d
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05dbTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05dtTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05e
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05f
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05g
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05h
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05i
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05j
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05l
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05m
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05n
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05o
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05p
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05q
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05q0Trojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05q8Trojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05r
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05rOTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05rvTrojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05s
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05t
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05u
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05v
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05w
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05x
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05x:Trojan.Linux.Spike.A
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05y
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05z
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20140926-05~
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20151008-01
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20151008-01APTnotes
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20151008-01Archimedes
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20151008-01FireCrypt
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20151008-01Grabit
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20151008-01Skype
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20151008-01Trojan.Win32.Banker.NWT
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: http://telussecuritylabs.com/threats/show/TSL20160106-02
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://thisissecurity.net/2015/09/30/when-elf-billgates-met-windows/Operation
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://thisissecurity.net/2015/09/30/when-elf-billgates-met-windows/When
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://threatconnect.com/camerashy/?utm_campaign=CameraShy
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://tools.zjqhr.com/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://translate.google.com/translate?prev=hp&hl=en&js=n&u=%s?%d&sl=es&tl=en
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://update.konamidata.com/test/zl/sophos/td/index.dat?
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://update.konamidata.com/test/zl/sophos/td/result/rz.dat?
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://update.upload-dropbox
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://us11.campaign-archive1.com/?u=90e9f2002c4ccb9d8c541acf9&id=27baaa7b7b
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://user.qzone.qq.com/568148075
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmpString found in binary or memory: http://ver007.com/tools/APTnotes/2010/Combating%20Threats%20-%20Operation%20Auro
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://ver007.com/tools/APTnotes/2010/Combating%20Threats%20-%20Operation%20AurockCombating
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://ver007.com/tools/APTnotes/2010/Combating%20Threats%20-%20Operation%20AurokCommunities
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://ver007.com/tools/APTnotes/2010/Combating%20Threats%20-%20Operation%20Aurokan
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://winodwsupdates.me
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.0855.tv
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.4ngel.net
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdf
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdf6788313A762C211DCB0DE421607E6057;Desto
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfGauss
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfHancitor
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfIntroducing
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfP
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfPoseidon
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfuss
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: http://www.arbornetworks.com/blog/asert/alpha-testing-alphaleon-http-bot/
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://www.avanan.com/resources/attack-on-office-365-corporate-users-with-zero-d
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.baidu.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.baidu.com/ma.exe
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malverNew
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://www.bleepingcomputer.com/news/security/ctb-faker-ransomware-does-a-poor-j
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmpString found in binary or memory: http://www.blueliv.com
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: http://www.cert.org.cn/publish/main/10/2017/20170804154348879884398/201708041543
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://www.cert.pl/PDF/The_Postal_Group.pdf
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-sp
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-sp20Nearly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spMaNearly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spPTNearly
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spWoNearly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spabEthiopian
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spatNearly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spdfNearly
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spfdNearly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spixNearly
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spoup
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spteNearly
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: http://www.certego.net/en/news/ruby-rce-used-to-push-monero-coinminer/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.chinesehack.org/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/charmingkitten/
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/charmingkitten/Charming
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/charmingkitten/F220F0A48885BAFC29B31FB7228CC4BB;Bots
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/charmingkitten/Full
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/copykitten-jpost/
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/dustysky/
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/dustysky/APTnotes
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/dustysky/Anunak:
Source: vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/dustysky/Operation
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campai
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/greenbug/
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/greenbug/Iranian
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/greenbug/New
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/greenbug/TIranian
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/iec/#att123
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/iec/#att123Operation
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/ismagent/
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/ismagent/EquationDrug
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/ismagent/Recent
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/0219;APTnotes
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/0LeetMX
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/44b8ee7fc2c9;APTnotes
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/8
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/8p
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/A
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/F
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/LeetMX
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/N
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/Operation
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/T
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/The
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/Y
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/df
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/f
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/nShark-MaudiOperation.pdf
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/notes
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/leetmx/s
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/oilrig/Digging
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/oilrig/Iranian
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/oilrig/Malware
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/oilrig/The
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/tulip
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/winnti/
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/winnti/8
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/winnti/Floki
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/winnti/Recent
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/winnti/Tofsee
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.201
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.201ABLOID_EXTRAt
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.201Syrian
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.201The
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf?x
Source: vnwareupdate.exe, 00000003.00000002.530925888.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdfIranian
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdfRCHER
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdfck
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.cnhonker.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.cnhonker.net============
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.cnhonker.net=============
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://www.crysys.hu/miniduke/miniduke_indicators_public.pdf
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://www.crysys.hu/miniduke/miniduke_indicators_public.pdfGathering
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.crysys.hu/miniduke/miniduke_indicators_public.pdfMiniduke
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.crysys.hu/miniduke/miniduke_indicators_public.pdfNebula
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.crysys.hu/miniduke/miniduke_indicators_public.pdfRegin
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://www.crysys.hu/turlaepiccc/turla_epic_cc_v1.pdf
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://www.crysys.hu/turlaepiccc/turla_epic_cc_v1.pdfEpic
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://www.cyintanalysis.com/a-quick-look-at-a-likely-newposthings-sample/
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://www.cyintanalysis.com/threat-analysis-poison-ivy-and-links-to-an-extended
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/aggressive-malware-pushers-prolific-cyber-surfers-beware/
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/aggressive-malware-pushers-prolific-cyber-surfers-beware/(
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/koreatimes-installs-venik/
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/koreatimes-installs-venik/Infected
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/koreatimes-installs-venik/Kraken
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-insti
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-insti-tMultiple
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-insti/s
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-insti:/Multiple
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-instienMultiple
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-instiewMultiple
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-instifaMultiple
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-instiwaMultiple
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/psychcental-com-infected-with-angler-ek-installs-bedep-va
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/psychcental-com-infected-with-angler-ek-installs-bedep-vaAndroid.Bankosy:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://www.cyphort.com/psychcental-com-infected-with-angler-ek-installs-bedep-vaAngler
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.darknet.org.uk/2016/03/tempracer-windows-privilege-escalation-tool/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.dyamar.com.
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmck
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmck8
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmck8p
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmckCombating
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmckCommunities
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmckDirt
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmckNew
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmckRATs
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmckThe
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.europarl.europa.eu/meetdocs/2014_2019/documents/droi/dv/420_speechmckan
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.eyuyan.com)
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1015_Alienspy_FINAL.pdf
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1016_Pushdo.pdf
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1016_Pushdo.pdfDisrupting
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1016_Pushdo.pdfPushdo
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1016_Pushdo.pdfSakula
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1016_Pushdo.pdfiPushdo
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Si
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_Si.secureworks.com/cyb
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_SiAttack
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.fidelissecurity.com/sites/default/files/FTA_1017_Phishing_in_Plain_SiFidelis
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: http://www.fireeye.com/blog/threat-research/2016/03/stop_scanning_mymac.html
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: http://www.fireeye.com/blog/threat-research/2016/04/new_downloader_forl.html?mkt
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.fireeye.com/blog/threat-research/2016/04/new_downloader_forl.html?mktNew
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.fireeye.com/blog/threat-research/2016/04/new_downloader_forl.html?mktWinnti
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.fireeye.com/blog/threat-research/2016/04/new_downloader_forl.html?mktkNew
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.foundstone.com
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: http://www.freebuf.com/vuls/142970.html
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://www.freebuf.com/vuls/142970.htmlFurther
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://www.freebuf.com/vuls/142970.htmlPincav
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://www.freebuf.com/vuls/142970.htmlVENOM
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: http://www.fsec.or.kr/common/proc/fsec/bbs/21/fileDownLoad/1235.do
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.google.co.jp
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/bot.html)
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmpString found in binary or memory: http://www.govcert.admin.ch/blog/5/e-banking-trojan-retefe-still-spreading-in-sw
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://www.govcert.admin.ch/blog/5/e-banking-trojan-retefe-still-spreading-in-swTargeted
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://www.govcert.admin.ch/blog/5/e-banking-trojan-retefe-still-spreading-in-swe-Banking
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.greyhathacker.net/?p=738
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.hackdos.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.hackp.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.happysec.com/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.hkmjj.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.i0day.com/1.txt
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmpString found in binary or memory: http://www.infosecisland.com/blogview/23567-Vietnamese-Malware-Gets-Very-Persona
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ran
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://www.intezer.com/another-distraction-new-version-north-korean-ransomware-h24A
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://www.intezer.com/another-distraction-new-version-north-korean-ransomware-hCs
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://www.intezer.com/blockbusted-lazarus-blockbuster-north-korea/
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://www.intezer.com/blockbusted-lazarus-blockbuster-north-korea/Lazarus
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://www.intezer.com/blockbusted-lazarus-blockbuster-north-korea/Lucky
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://www.intezer.com/blockbusted-lazarus-blockbuster-north-korea/New
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://www.intezer.com/blockbusted-lazarus-blockbuster-north-korea/Trojanized
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://www.intezer.com/blockbusted-lazarus-blockbuster-north-korea/Vawtrak
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: http://www.intezer.com/eternalminer-copycats/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.intezer.com/new-variants-of-agent-btz-comrat-found/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.ip138.com/ip2city.asp
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmpString found in binary or memory: http://www.isightpartners.com/2014/10/cve-2014-4114/
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.isightpartners.com/2014/10/cve-2014-4114/Roki
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://www.isightpartners.com/2015/06/hawkeye-keylogger-campaigns-affect-multipl
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-le
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leKhaan
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.israirairlines.com/?mode=page&page=14635&lang=eng
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.jmicron.co.tw0
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.jpcert.or.jp/magazine/acreport-ChChes.ht
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.jpcert.or.jp/magazine/acreport-ChChes.ht8
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmpString found in binary or memory: http://www.jpcert.or.jp/magazine/acreport-ChChes.ht8P%
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://www.jpcert.or.jp/magazine/acreport-ChChes.htDridex
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://www.jpcert.or.jp/magazine/acreport-ChChes.htNetTraveler
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://www.jpcert.or.jp/magazine/acreport-ChChes.htSpearphishing
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://www.jpcert.or.jp/magazine/acreport-ChChes.htTargeted
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&amp
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3671
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4327
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&ampThe
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&ampWin32/Spy.Obator
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1465
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=14658
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1465Citadel
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1465Pkybot:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.luocong.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.maicaidao.com/server.phpcaidao
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_27
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_27Covert
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_27It
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-reversing.com/2014/06/blitzanalysis-embassy-of-greece-beijingCOSMICDUKE
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-reversing.com/2014/06/blitzanalysis-embassy-of-greece-beijingEmbassy
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-traffic-analysis.net/2015/05/14/index2.html
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-traffic-analysis.net/2015/08/13/index.html
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-traffic-analysis.net/2015/09/02/index.html
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-traffic-analysis.net/2017/03/30/index2.html
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-traffic-analysis.net/2017/03/30/index2.htmlDridex
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-traffic-analysis.net/2017/03/30/index2.htmlGryphon
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-traffic-analysis.net/2017/03/30/index2.htmlThe
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-traffic-analysis.net/2017/03/30/index2.htmlxCaon
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-traffic-analysis.net/2017/06/08/index.html
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-traffic-analysis.net/2017/06/08/index.htmlBanking
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-traffic-analysis.net/2017/06/08/index.htmlNaoinstalad
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.malware-traffic-analysis.net/2017/06/08/index.htmlNew
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://www.malwarefor.me/2015-08-31-angler-ek-pushing-bedep/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.md5.com.cn
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.md5decrypter.co.uk/feed/api.aspx?
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: http://www.morihi-soc.net/?p=910
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: http://www.morphick.com/resources/lab-blog/closer-look-hancitor
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: http://www.morphick.com/resources/lab-blog/mikey-linux-keylogger
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoorTurla
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://www.nartv.org/mirror/ghostnet.pdf
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.netresec.com/?page=Blog&ampAndroid
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://www.netresec.com/?page=Blog&ampCharming
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.netresec.com/?page=Blog&ampDridex
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.netresec.com/?page=Blog&ampFull
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.netresec.com/?page=Blog&ampGreenbugs
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.netresec.com/?page=Blog&ampThe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.nforange.com/inc/1.asp?
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://www.nyxbone.com/malware/CryptoMix.html
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.operationblockbuster.com/
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://www.pandasecurity.com/mediacenter/malware/skype-worm-reloaded/
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://www.pandasecurity.com/mediacenter/malware/skype-worm-reloaded/Duqu
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://www.pandasecurity.com/mediacenter/malware/skype-worm-reloaded/Skype
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://www.pandasecurity.com/mediacenter/malware/skype-worm-reloaded/Trojan.Win32.Banker.NWT
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.pcshare.cn
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.pcshares.cn/pcshare200/lostpass.asp
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are0The
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are0Windigo
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are5The
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are7The
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-areNThe
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-areThe
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-areaThe
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-arecThe
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-aredThe
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-areiThe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.realtek.com0
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.sablog.net/blog
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: http://www.seculert.com/blogs/ursnif-deep-technical-dive
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://www.seculert.com/blogs/ursnif-deep-technical-diveLazarus
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: http://www.secuobs.com/revue/news/326907.shtml
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-fami
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-famiComment
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-famiSakula
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/stegoloader-a-steal
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/teslacrypt-ransomwa
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/teslacrypt-ransomwaRatting
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/teslacrypt-ransomwaTeslaCrypt
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-t
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-tKeyBoy
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-tThreat
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.sekoia.fr/blog/when-a-brazilian-string-smells-bad/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.sginternet.net
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/test.dll?user=%USERNAME&pass=%PASSWORD
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/black-vine-formidable-cyberespionage-group
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/breaking-bad-themed-los-pollos-hermanos-cr
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/breaking-bad-themed-los-pollos-hermanos-cr&#39
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-u
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-de
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-de#1020
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-deColombians
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/duuzer-back-door-troj
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-kore
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/dyre-emerges-main-financial-trojan-threat
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/dyre-emerges-main-financial-trojan-threat8
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/dyre-emerges-main-financial-trojan-threatATMZombie:
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/dyre-emerges-main-financial-trojan-threatDyre
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/japanese-corporations-targeted-active-malw
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/japanese-corporations-targeted-active-malw.s
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/japanese-corporations-targeted-active-malwBanking
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/japanese-corporations-targeted-active-malwDragonOK
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/japanese-one-click-fraudsters-target-ios-u
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-exploited-h
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-exploited-hDyreza
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/new-internet-explorer-zero-day-exploited-hNew
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financi
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financiCARBANAK
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financiOdinaff:
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-tar
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-tarMARCHER
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-tarPatchwork
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-tartchwork
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-o
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sau
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauNew
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauOperation
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauStrider:
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauWild
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-do
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-do0Taiwan
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-doDCSO
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-doLinking
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-doTaiwan
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-doarTaiwan
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-dot
Source: vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Sc
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScA
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScBanking
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScRATs
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScThe
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScckCommunities
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Sch
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/SckCommunities
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/SckThe
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/Sckan
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepa
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepaHoliday
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepaThe
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99Android.Bankosy:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99South
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.thc.org
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://www.threatconnect.com/news/china-hacks-the-peace-palace-all-your-eezs-are
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/From
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/Possible
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: http://www.threatgeek.com/2016/08/vawtrak-trojan-variant-https-c2.html
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://www.threatgeek.com/2016/08/vawtrak-trojan-variant-https-c2.htmlGlobeImposter
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://www.threatgeek.com/2016/08/vawtrak-trojan-variant-https-c2.htmlLazarus
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://www.threatgeek.com/2016/08/vawtrak-trojan-variant-https-c2.htmlNew
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://www.threatgeek.com/2016/08/vawtrak-trojan-variant-https-c2.htmlVawtrak
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.html
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.htmlDown
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.threatgeek.com/2016/11/down-the-h-w0rm-hole-with-houdinis-rat.htmlDridex
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://www.threattracksecurity.com/it-blog/dyre-now-using-signed-certificates-ht
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://www.threattracksecurity.com/it-blog/dyre-now-using-signed-certificates-htDyre
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://www.threattracksecurity.com/it-blog/dyre-now-using-signed-certificates-hte-Banking
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.topronet.com
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.co.kr/cloud-content/us/pdfs/security-intelligence/white-pa
Source: vnwareupdate.exe, 00000003.00000003.237953574.0000000003A27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape//Operation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape089Operation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape1EOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape5bOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape6Operation
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape8
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeA
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeAmazon
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeAttacks
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeBraincrypt
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeNwOperation
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeOperation
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papePawn
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeSaOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeatOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papedOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papef6XSLCmd
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papegOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeiOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeioOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeion
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papepOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-paperOperation
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://www.trendmicro.de/media/wp/safe-a-targeted-threat-whitepaper-en.pdf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.vip80000.com/hot/index.html
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: http://www.virusradar.com/en/Python_Agent.F/description
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: http://www.vkremez.com/2017/09/lets-learn-reversing-trickbot-banking.html
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://www.vkremez.com/2017/09/lets-learn-reversing-trickbot-banking.htmlAnalyzing
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://www.vkremez.com/2017/09/lets-learn-reversing-trickbot-banking.htmlMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: http://www.vkremez.com/2017/09/lets-learn-reversing-trickbot-banking.html_Muddying
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://www.volexity.com/blog/?p=158
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://www.volexity.com/blog/?p=158Grabit
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: http://www.volexity.com/blog/?p=158Trojan.Win32.Banker.NWT
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.wasabii.com.tw
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: http://www.waseda.jp/navi/security/2017/0414.html
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://www.waseda.jp/navi/security/2017/0414.htmlCallisto
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://www.waseda.jp/navi/security/2017/0414.htmlSpearphishing
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://www.webroot.com/blog/2013/10/10/compromised-turkish-government-web-site-l
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://www.webroot.com/blog/2013/10/10/compromised-turkish-government-web-site-lAggressive
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://www.webroot.com/blog/2013/10/10/compromised-turkish-government-web-site-lCompromised
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://www.webroot.com/blog/2013/10/10/compromised-turkish-government-web-site-lb
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: http://www.webroot.com/blog/2013/10/10/compromised-turkish-government-web-site-lhnCompromised
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom.
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-customFancy
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-customNetTraveler
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-customSednit
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afgha
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afgha:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghaBingo
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghaoKorplug
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/MSIL/Agent.PYO
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/01/29/msilagent-pyo-have-botnet-will-travel/Operation
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/04/09/operation-buhtrap/
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/04/09/operation-buhtrap/Operation
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/04/09/operation-buhtrap/ROKRAT
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/04/09/operation-buhtrap/The
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spamHong
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spamMumblehard
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/Winnti
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/07/23/porn-clicker-keeps-infecting-apps-on-go
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-g
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-gCarbanak
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-gGazing
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/09/17/the-trojan-games-odlanor-malware-cheats
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/09/22/android-trojan-drops-in-despite-googles
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/10/20/multi-stage-exploit-installing-trojan/
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/10/20/multi-stage-exploit-installing-trojan/Multi-stage
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2015/10/20/multi-stage-exploit-installing-trojan/Wiper
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-indust
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-indust?
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industNew
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2016/01/20/new-wave-attacks-ukrainian-power-industTaiwan
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2016/07/01/espionage-toolkit-targeting-central-eas
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2016/07/01/espionage-toolkit-targeting-central-easVulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2016/07/12/nymaim-rides-2016-reaches-brazil/Regin
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2016/07/12/nymaim-rides-2016-reaches-brazil/lRegin
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmiss
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/2016/10/20/new-eset-research-paper-puts-sednit-und
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Thr
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.p
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pLinux/Moose
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pMalicious
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressDrOperation
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressOperation
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Expressare
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressatOperation
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressinOperation
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressmpOperation
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressonOperation
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressooOperation
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressozOperation
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressspAnalysis
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-ExpressukOperation
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pd
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pd.
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pd.0
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pd.p
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdOperation
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdStantinko
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: http://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.wzpg.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.xcodez.com/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.xfocus.net
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.xfocus.org
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.xxx.com/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.xxx.com/xxx.exe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://x.x.x/x.dll
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://zhouzhen.eviloctal.org
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: http://zhuiri.360.cn/report/index.php/2017/03/09/twotailedscorpion/
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: http://zhuiri.360.cn/report/index.php/2017/03/09/twotailedscorpion/(APT-C-23)
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: http://zhuiri.360.cn/report/index.php/2017/03/09/twotailedscorpion/Erebus
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: http://zhuiri.360.cn/report/index.php/2017/03/09/twotailedscorpion/MONSOON
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: http://zhuiri.360.cn/report/index.php/2017/03/09/twotailedscorpion/Petya
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: http://zhuiri.360.cn/report/index.php/2017/03/09/twotailedscorpion/SpyNote
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: http://zhuiri.360.cn/report/index.php/2017/03/09/twotailedscorpion/i(APT-C-23)
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://1.2.3.4:1234)
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://127.0.0.1:6655/cgi/redmin?op=cron&action=once
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://401trg.pw/an-update-on-winnti/
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://401trg.pw/an-update-on-winnti/An
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://401trg.pw/an-update-on-winnti/Fireeye:
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://401trg.pw/an-update-on-winnti/SlingShot
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://401trg.pw/burning-umbrella/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://adaclscan.codeplex.com/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://app.any.run/tasks/719c94eb-0a00-47cc-b583-ad4f9e25ebdb
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://app.any.run/tasks/ae2521dd-61aa-4bc7-b0d8-8c85ddcbfcc9
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/a2zw9uye2hhofsc1me6yfj39u6gjalcq
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/a2zw9uye2hhofsc1me6yfj39u6gjalcqDuke
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/a2zw9uye2hhofsc1me6yfj39u6gjalcqlInside
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/c95me2uocwoothfnapxrcjwfmynue4ri
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/gh8m5os2jewj2adleu2xqivj9qzf9ok8
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/gh8m5os2jewj2adleu2xqivj9qzf9ok8ENeutrino
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/gh8m5os2jewj2adleu2xqivj9qzf9ok8iRetefe
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/gh8m5os2jewj2adleu2xqivj9qzf9ok8mbot-APT.pdf
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/x2jgr4j1bgfas2h2b4h09mam9nn4qwu3
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/x2jgr4j1bgfas2h2b4h09mam9nn4qwu3APT1:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/x2jgr4j1bgfas2h2b4h09mam9nn4qwu3Group5:
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/x2jgr4j1bgfas2h2b4h09mam9nn4qwu3THE
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv57
Source: vnwareupdate.exe, 00000003.00000003.237233008.00000000036C1000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv576BE21E389056CA028CF9083E42A765E8F61B0B5C;Crypt
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv57EvilBunny
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv57Footprints
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv57Pincav
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://app.box.com/s/xvilsesi5qd2gh6so2g3tnric51ndv57The
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://arsenalexperts.com/Case-Studies/Odatv/
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: https://asert.arbornetworks.com/an-update-on-the-urlzone-banker/
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://asert.arbornetworks.com/automating-intelligence-discovering-recent-plugx
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://asert.arbornetworks.com/automating-intelligence-discovering-recent-plugxDiscovering
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://asert.arbornetworks.com/automating-intelligence-discovering-recent-plugxTargeted
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://asert.arbornetworks.com/lojack-becomes-a-double-agent/8
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://asert.arbornetworks.com/lojack-becomes-a-double-agent/Bronze
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://asert.arbornetworks.com/lojack-becomes-a-double-agent/Fancy
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://asert.arbornetworks.com/peeking-at-pkybot/
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://asert.arbornetworks.com/peeking-at-pkybot/Pkybot:
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://asert.arbornetworks.com/peeking-at-pkybot/RawPOS
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: https://asert.arbornetworks.com/uncovering-the-seven-pointed-dagger/
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: https://attack.mitre.org/wiki/Software/S0142
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://attack.mitre.org/wiki/Software/S0142APT10
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://attack.mitre.org/wiki/Software/S0142New
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://badcyber.com/new-mirai-attack-vector-bot-exploits-a-recently-discovered-
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20R
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20RPitty
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20RRSA
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20RUnmasking
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareAPT
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/avast-tracks-down-tempting-cedar-spywareDarkhotel
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/downloaders-on-google-play-spreading-malware-to-steal-fac
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/downloaders-on-google-play-spreading-malware-to-steal-fac6B6E023B4221BAE8ED37
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/downloaders-on-google-play-spreading-malware-to-steal-facDownloaders
Source: vnwareupdate.exe, 00000003.00000003.237953574.0000000003A27000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-t
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-tCerber
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-tH
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-tNew
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/retefe-banking-trojan-targets-uk-banking-customers
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/retefe-banking-trojan-targets-uk-banking-customers-The
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/retefe-banking-trojan-targets-uk-banking-customersSThe
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/retefe-banking-trojan-targets-uk-banking-customerseThe
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://blog.avast.com/retefe-banking-trojan-targets-uk-banking-customersuRetefe
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://blog.bit9.com/2015/09/04/threat-research-team-goes-beyond-the-exploit-in
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: https://blog.bit9.com/2015/09/04/threat-research-team-goes-beyond-the-exploit-inFrom
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://blog.bit9.com/2015/09/04/threat-research-team-goes-beyond-the-exploit-inPayloads
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://blog.comodo.com/comodo-news/comodo-protects-five-universities-new-malwar
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmpString found in binary or memory: https://blog.comodo.com/comodo-news/comodo-protects-five-universities-new-malwarTrojan.DarkLoader
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://blog.comodo.com/comodo-news/comodo-warns-android-users-of-tordow-v2-0-ou
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://blog.comodo.com/comodo-news/comodo-warns-android-users-of-tordow-v2-0-ou4Tordow
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://blog.comodo.com/comodo-news/comodo-warns-android-users-of-tordow-v2-0-ouContinued
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://blog.comodo.com/comodo-news/comodo-warns-android-users-of-tordow-v2-0-ouTordow
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: https://blog.cyber4sight.com/2017/02/technical-analysis-watering-hole-attacks-ag
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.cyber4sight.com/2017/02/technical-analysis-watering-hole-attacks-agAnalysis
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.cyber4sight.com/2017/02/technical-analysis-watering-hole-attacks-agOperation
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://blog.cyber4sight.com/2017/02/technical-analysis-watering-hole-attacks-agtRecent
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/an-introduction-to-alphalocker
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companiesDigitally
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companiesThe
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/graftor-variant-leveraging-signed-microsoft-executable
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/grand-theft-auto-panda
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/grand-theft-auto-pandaThe
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/petya-returns-as-goldeneye-strikes-germany
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/petya-returns-as-goldeneye-strikes-germany.
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/petya-returns-as-goldeneye-strikes-germany8
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/petya-returns-as-goldeneye-strikes-germanyDridex
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/petya-returns-as-goldeneye-strikes-germanyPetya
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radarShell
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radarTick
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://blog.cylance.com/the-ghost-dragon
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://blog.cyveillance.com/widespread-malspam-campaign-delivering-locky-ransom
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://blog.cyveillance.com/widespread-malspam-campaign-delivering-locky-ransomChina-based
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://blog.cyveillance.com/widespread-malspam-campaign-delivering-locky-ransomWidespread
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://blog.ensilo.com/uncovering-new-activity-by-apt10
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmpString found in binary or memory: https://blog.eset.ie/2016/09/01/torrentlocker-crypto-ransomware-still-active-usi
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2016/06/14/obfuscated-bitcoin-miner-propagates-through
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2016/07/25/insights-on-torrentlocker
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2016/11/02/the-angry-spam-and-the-tricky-macro-deliver
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2016/11/02/the-angry-spam-and-the-tricky-macro-deliverHancitor
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2016/11/28/a-new-all-in-one-botnet-proteus
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizati
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbotA
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbotRecent
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/09/20/evasive-malware-campaign-abuses-free-cloud-
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/09/20/evasive-malware-campaign-abuses-free-cloud-Evasive
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/09/20/evasive-malware-campaign-abuses-free-cloud-Malware
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/09/20/evasive-malware-campaign-abuses-free-cloud-Operation
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/10/12/pdf-phishing-leads-to-nanocore-rat-targets-
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/10/12/pdf-phishing-leads-to-nanocore-rat-targets-6PDF
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/10/12/pdf-phishing-leads-to-nanocore-rat-targets-diPDF
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/10/29/evasive-sage-2-2-ransomware-variant-targets
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/10/29/evasive-sage-2-2-ransomware-variant-targetsBadRabbit
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/10/29/evasive-sage-2-2-ransomware-variant-targetsEvasive
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/10/29/evasive-sage-2-2-ransomware-variant-targetsdcc6;APTnotes
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitc
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitc7A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitc9A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcaA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcaMaster
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcgA
Source: vnwareupdate.exe, 00000003.00000002.516989975.00000000021F1000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-Emissary
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-New
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-black
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackSouth
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://blog.fortinet.com/post/over-100-000-south-korean-users-affected-by-blackTunnel
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://blog.fox-it.com/2017/04/14/a-mole-exposing-itself-to-sunlight/
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://blog.fox-it.com/2017/04/14/a-mole-exposing-itself-to-sunlight/A
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/Operation
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/Snake:
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://blog.gdatasoftware.com/2014/02/23968-uroburos-highly-complex-espionage-s
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://blog.gdatasoftware.com/2014/11/23937-the-uroburos-case-new-sophisticated
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://blog.gdatasoftware.com/2015/01/23927-evolution-of-sophisticated-spyware-
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://blog.gdatasoftware.com/2015/01/23927-evolution-of-sophisticated-spyware-l
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: https://blog.gdatasoftware.com/blog/article/new-dridex-infection-vector-identifi
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://blog.gdatasoftware.com/blog/article/new-dridex-infection-vector-identifiAngler
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://blog.gdatasoftware.com/blog/article/new-dridex-infection-vector-identifiNew
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.gdatasoftware.com/blog/article/new-dridex-infection-vector-identifiSofacy
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://blog.gdatasoftware.com/blog/article/the-andromedagamarue-botnet-is-on-th
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://blog.gdatasoftware.com/blog/article/the-andromedagamarue-botnet-is-on-thAndromeda
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://blog.gdatasoftware.com/blog/article/the-andromedagamarue-botnet-is-on-thThe
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://blog.gdatasoftware.com/blog/article/the-andromedagamarue-botnet-is-on-thaAndromeda
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://blog.korumail.com/cyber-security/french-commercial-proposal-malware/
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/cybercrime/2016/10/get-your-rat-on-pastebin/
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/cybercrime/2017/01/the-curious-case-of-a-sundown-e
Source: vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptominin
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/cybercrime/2017/11/persistent-drive-by-cryptomininTNewly
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/cybercrime/exploits/2016/08/malvertising-campaign-
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-docShakti
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-docShell
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-docTordow
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disg
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disgCmstar
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disgKorplug
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2017/04/usps-themed-malspam-now-de
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2017/08/cerber-ransomware-delivere00OilRig
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2017/08/cerber-ransomware-delivereOilRig
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2017/08/locky-ransomware-adds-anti
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2017/08/locky-ransomware-adds-antiCarbanak
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2017/08/locky-ransomware-adds-antiLocky
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2017/08/locky-ransomware-adds-antiNb
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heaven
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavenA
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavenMalicious
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experimen
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experimenDrive-by
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experimenMalware
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distri
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distriNew
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distriSkygofree:
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/botnets/2015/08/whos-behind-your-proxy-uncovering-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/botnets/2015/08/whos-behind-your-proxy-uncovering-NitlovePOS:
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/botnets/2015/08/whos-behind-your-proxy-uncovering-Operation
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/botnets/2015/08/whos-behind-your-proxy-uncovering-Uncovering
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/exploits-2/2015/05/unusual-exploit-kit-targets-chi
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/exploits-2/2015/05/unusual-exploit-kit-targets-chiRTF
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/exploits-2/2015/05/unusual-exploit-kit-targets-chiUnusual
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/exploits-2/2015/11/blast-from-the-past-blackhole-e
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-c
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-cDyre
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-cUnusual
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/intelligence/2015/12/inside-chimera-ransomware-the
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/intelligence/2016/03/maktub-locker-beautiful-and-d
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/malvertising-2/2015/11/the-casino-malvertising-cam
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/malvertising-2/2015/12/spike-in-malvertising-attac
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://blog.malwarebytes.org/threat-analysis/exploits-threat-analysis/2016/04/a
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massi
Source: vnwareupdate.exe, 00000003.00000002.516989975.00000000021F1000.00000004.00000001.sdmpString found in binary or memory: https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massiFlash
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://blog.nviso.be/2018/08/02/powershell-inside-a-certificate-part-3/
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-ov
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-ov:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-ovSamSam
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-OH-Worm
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-OPoS
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-PoS
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-arPoS
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-nPoS
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-oPoS
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-rPoS
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/a-peek-inside-a-pos-sPoS
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu.gDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu/gDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu0
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu1BDeciphering
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu2
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu22Deciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu43Deciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu52Deciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu70Deciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciu89NEW
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuA9Deciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuAPDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuClDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuCyDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuDCSO
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciud
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuf
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciunSDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuppDeciphering
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciups://goo.gl/CywXnS
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-tar
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-tarLazarus
Source: vnwareupdate.exe, 00000003.00000002.516989975.00000000021F1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaig
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulner
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulnerDrive-by
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulnerFalse
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulnerOracle
Source: vnwareupdate.exe, 00000003.00000002.516989975.00000000021F1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulnere
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/struts-dotnetnuke-se
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/struts-dotnetnuke-seFlash
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac0Vulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac1Vulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac2Vulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac6Vulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac7Vulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac9Vulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apacDragonOK
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apacEspionage
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apacH
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apacIVulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apacTVulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apacVulnerabilities
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-co
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-coCARBANAK
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/carbanak-group-uses-google-malware-coCarbon
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/dridex-shadows-blacklisting-stealth-a
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-st
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-stJaff
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/mm-core-memory-backdoor-returns-bigbo
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/new-year-new-look-dridex-compromised-
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/new-year-new-look-dridex-compromised-.gNEW
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/new-year-new-look-dridex-compromised-0
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/new-year-new-look-dridex-compromised-99NEW
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/new-year-new-look-dridex-compromised-CyNEW
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/new-year-new-look-dridex-compromised-FEA
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismu
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-d
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dTracking
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dUDPOS
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/ursnif-variant-found-using-mouse-move8
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/ursnif-variant-found-using-mouse-moveMalumPoS:
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/ursnif-variant-found-using-mouse-moveUrsnif
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-custo
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-custoChinese
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-custoZEUS
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: https://blogs.mcafee.com/mcafee-labs/android-malware-clicker-dgen-found-google-p
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.mcafee.com/mcafee-labs/android-malware-clicker-dgen-found-google-pActor
Source: vnwareupdate.exe, 00000003.00000003.244930410.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: https://blogs.mcafee.com/mcafee-labs/evoltin-pos-malware-attacks-via-macro
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-system
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://blogs.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://blogs.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacksNetwire
Source: vnwareupdate.exe, 00000003.00000003.241767951.0000000005691000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://blogs.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/Lurk:
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://blogs.mcafee.com/mcafee-labs/rovnix-downloader-sinkhole-time-checks/Rovnix
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: https://blogs.mcafee.com/mcafee-labs/targeted-attack-campaign-indian-organizatio
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://blogs.mcafee.com/mcafee-labs/targeted-attack-campaign-indian-organizatioSpearphishing
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.mcafee.com/mcafee-labs/targeted-attack-campaign-indian-organizatioTerracotta
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/cat-phishing/
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/cat-phishing/Cat
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/cat-phishing/New
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/peering-into-glassrat/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/Operation
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/Peering
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf2RSA
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf8
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdf9bOperation
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdfDarkhotel
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdfOperation
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdfR
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdfRRSA
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdfRSA
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdfcRSA
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/05/RSA-IR-Case-Study.pdfchRSA
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/08/Terracotta-VPN-Report-Final-8-3
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/08/Terracotta-VPN-Report-Final-8-39Terracotta
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/08/Terracotta-VPN-Report-Final-8-3Digitally
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/08/Terracotta-VPN-Report-Final-8-3Terracotta
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://blogs.rsa.com/wp-content/uploads/2015/08/Terracotta-VPN-Report-Final-8-3The
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://cdn.securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-p
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdfLegspin
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdfOilRig
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf.dAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf20Analysis
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfMaAnalysis
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfThe
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfampAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfare
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfgiAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfhtAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfmlAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfo-Analysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfpeAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfpoAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfprAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfs.Analysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdftaAnalysis
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfumAnalysis
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-co
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-coEthiopian
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-coThe
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-cobEthiopian
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-wit
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-wit2Inside
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-witInside
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-witSamSam
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposedCNCERT
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposedFrom
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposedMalware
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposedPayloads
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposedPossible
Source: vnwareupdate.exe, 00000003.00000002.516989975.00000000021F1000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposede
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2012/07/recent-observations/
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2012/07/recent-observations/Exploring
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2012/07/recent-observations/Inside
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2012/07/recent-observations/Recent
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2012/07/recent-observations/Wiper
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2013/03/you-only-click-twice-finfishers-global-proliferat
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-commun
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-communKnock
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-communMicrosoft
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-communSurtr:
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2013/08/surtr-malware-family-targeting-the-tibetan-communaCryptoLuck
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/Iranian
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/Malware
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2015/03/tibetan-uprising-day-malware-attacks/
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2015/03/tibetan-uprising-day-malware-attacks/Communities
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2015/03/tibetan-uprising-day-malware-attacks/Tibetan
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-gr
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-grSpoofed
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-grTargeted
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2015/08/what-we-know-about-the-south-korea-niss-use-of-ha
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2015/08/what-we-know-about-the-south-korea-niss-use-of-haPackrat:
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2015/10/targeted-attacks-ngo-burma/Quaverse
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2016/08/group5-syria/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2016/08/group5-syria/APT29
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2016/08/group5-syria/Angler
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2016/08/group5-syria/Group5:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2016/08/group5-syria/Lazarus
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://citizenlab.org/2016/08/group5-syria/Miniduke
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://coinhive.com/documentation/miner
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-a
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-aKeyBoy
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-aeKeyBoy
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attack
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://community.rapid7.com/community/infosec/blog/2013/08/19/byebye-and-the-ta
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://community.rapid7.com/community/infosec/blog/2013/08/19/byebye-and-the-taOperation
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/07/10/active-m8
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/04/targeted/hRemcos
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/04/targetedBCHTHONIC
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/04/targetedlesCHTHONIC
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-Did
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-Russian
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-Tale
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/08/18/russian-uRussian
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://community.rsa.com/community/products/netwitness/blog/2017/12/08/grateful
Source: vnwareupdate.exe, 00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmpString found in binary or memory: https://creativecommons.org/licenses/by-nc/4.0/
Source: vnwareupdate.exe, 00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmpString found in binary or memory: https://creativecommons.org/licenses/by-nc/4.0/.
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://cyberkov.com/wp-content/uploads/2016/09/Hunting-Libyan-Scorpions-EN.pdf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://cysinfo.com/azorult-version-2-atrocious-spyware-in8
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-AzorUlt
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-Double
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-official
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officialCyber
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmpString found in binary or memory: https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officialLazarus
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officialR
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmpString found in binary or memory: https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishin
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishinn
Source: vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: https://cysinfo.com/uri-terror-at
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmpString found in binary or memory: https://cysinfo.com/uri-terror-attack-spear-phishing-emails-targeting-indian-emb
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmpString found in binary or memory: https://cysinfo.com/uri-terror-attack-spear-phishing-emails-targeting-indian-embURI
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://digitasecurity.com/blog/2018/02/19/coldroot/
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://digitasecurity.com/blog/2018/02/19/coldroot/Denis
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://dl.dropbox.com/u/105015858
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://dl.dropbox.com/u/105015858/nome.exe
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://docs.googl
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErcContinued
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErcNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErcs
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX01Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX03Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX08Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX31Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX32Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX33Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX37Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX5cCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX5dCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX66Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX78Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX7dCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX80
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX84Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX8dCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX93Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX95Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RX97Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXNewly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXPTCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXa7Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXaeCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXalCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXasCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXb6Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXc7Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXc8Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXcdCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXctCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXd8Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXe3Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXe6Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXf1Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXf6Campaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXfcCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXmyCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXneCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXpdfCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXpeCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXroCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXteCampaign
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/u/1/d/e/2PACX-1vR2TWm68bLidO3e2X0wTCqs0609vo5RXtoCampaign
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/Appendix-DressCode-Android-Malware-Finds
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/Appendix-DressCode-Android-Malware-Finds.
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/Appendix-DressCode-Android-Malware-FindsChinese
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/Appendix-DressCode-Android-Malware-FindsDressCode
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/appendix-CVE-2017-11882-exploited-to-del
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/appendix-CVE-2017-11882-exploited-to-delCVE-2017-11882
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/appendix-CVE-2017-11882-exploited-to-delStrongPity2
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cybere
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cybere8fb36bf4d5cf98c2;APT
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cybereAPT3
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cybereCVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cybereNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cybereUntangling
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/appendix-untangling-the-patchwork-cyberefb28dee5fde7cbb0;APT
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphin
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinCyberespionage
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinTravle
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://exchange.xforce.ibmcloud.com/collection/Group-123s-2016-to-2018-Campaign
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://exchange.xforce.ibmcloud.com/collection/Group-123s-2016-to-2018-Campaign/Skygofree:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://exchange.xforce.ibmcloud.com/collection/Group-123s-2016-to-2018-Campaign0Comnie
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://f5.com/labs/articles/threat-intelligence/malware/marcher-gets-close-to-u
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://f5.com/labs/articles/threat-intelligence/malware/marcher-gets-close-to-u8
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://f5.com/labs/articles/threat-intelligence/malware/marcher-gets-close-to-uMARCHER
Source: vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://f5.com/labs/articles/threat-intelligence/malware/new-python-based-crypto8
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: https://file.gdatasoftware.com/web/en/documents/whitepaper/Rurktar.pdf
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://file.gdatasoftware.com/web/en/documents/whitepaper/Rurktar.pdfAPT29
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://file.gdatasoftware.com/web/en/documents/whitepaper/Rurktar.pdfRurktar
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmpString found in binary or memory: https://firstlook.org/theintercept/2015/08/21/inside-the-spyware-campaign-agains
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://ghostbin.com/paste/jsph7
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: https://ghostbin.com/paste/xgvdv
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://gist.github.com/edeca/01f5e35d7de074cdd6710caddd973965
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://gist.github.com/edeca/01f5e35d7de074cdd6710caddd973965Paranoid
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://gist.github.com/edeca/01f5e35d7de074cdd6710caddd973965The
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/0x00-0x00/ShellPop
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/0xbadjuju/Sharpire_RID2A4F
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/AlessandroZ/BeRoot/tree/master/Windows
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/AlessandroZ/LaZagne
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/AlessandroZ/LaZagne/releases/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/BeetleChunks/redsails
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Ben0xA/nps
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Cn33liz/SharpCat_RID2A27
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Cn33liz/p0wnedShell
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/CoreSecurity/impacket
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/DarthTon/Blackbone
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/FuzzySecurity/PowerShell-Suite
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/HarmJ0y/KeeThief
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Kevin-Robertson/Invoke-TheHash
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/MalwareTech/UACElevator_RID2B2C
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Neo23x0/Loki/issues/35
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Neo23x0/yarGen
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/PowerShellEmpire/Empire
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Voulnet/CVE-2017-8759-Exploit-sample
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Torte_ELF.yarLinux
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Yara-Rules/rules/blob/master/malware/MALW_Torte_ELF.yarRurktar
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/adaptivethreat/Empire
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/bartblaze/PHP-backdoors
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/bitsadmin/nopowershell
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: https://github.com/citizenlab/malware-signatures/blob/master/packrat/domains.csv
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/citizenlab/malware-signatures/blob/master/packrat/domains.csvPackrat:
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/citizenlab/malware-signatures/blob/master/packrat/domains.csvRovnix
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/citizenlab/malware-signatures/blob/master/packrat/domains.csvSouth
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/cpaton/Scripting/blob/master/VBA/Base64.bas
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://github.com/eset/malware-ioc/blob/master/sednit/part3.adoc
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://github.com/eset/malware-ioc/blob/master/sednit/part3.adocA
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://github.com/fireeye/iocs/tree/master/APT28
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/foxglovesec/RottenPotato
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/frohoff/ysoserial
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/g0tmi1k/exe2hex
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/gdssecurity/PSAttack/releases/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/gentilkiwi/kekeo/releases
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/gentilkiwi/mimikatz/releases
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/hfiref0x/UACME
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/huntergregal/mimipenguin
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/jaredhaight/Invoke-MetasploitPayload/blob/master/Invoke-MetasploitPayload.ps1
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/joridos/custom-ssh-backdoor05ce6e55dc8b2cdf07eca710c652032dae7940d9f719d24c65de77
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/maaaaz/impacket-examples-windows
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/mdsecactivebreach/CACTUSTORCH_RID2A54
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/n1nj4sec/pupy-binaries
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmpString found in binary or memory: https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%2
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/nccgroup/Winpayloads
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/nccgroup/redsnarf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/nikicat/web-malware-collection
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/odzhan/shells/
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: https://github.com/pan-unit42/iocs/blob/master/ramdo/hashes.txt
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/peewpw/Invoke-PSImage
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ptrrkssn/pnscan
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/putterpanda/mimikittenz
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/rsmudge/metasploit-loader
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/samratashok/nishang
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/skelsec/PyKerberoast
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/sqlmapproject/sqlmap
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/stamparm/EternalRocks
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://github.com/stamparm/EternalRocksBronze
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://github.com/stamparm/EternalRocksEDB660EF32E2FD59AD1E610E9842C2DF;Dridex
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://github.com/stamparm/EternalRocksEternalRocks
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://github.com/stamparm/EternalRocksProject
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://github.com/stamparm/EternalRocksTofsee
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/subTee/AllTheThings_RID2BB8
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/t3ntman/CrunchRAT_RID2A5B
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/tiagorlampert/CHAOS
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/valsov/BackNet
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/vysec/ps1-toolkit
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/wordfence/grizzly
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/xmrig/xmrig/releases
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/zerosum0x0/koadic
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://go.recordedfuture.com/hubfs/reports/cta-2018-0116-appendix.pdf
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://go.recordedfuture.com/hubfs/reports/cta-2018-0116-appendix.pdf-2017-9805
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: https://go.recordedfuture.com/hubfs/reports/fr-2018-0214.pdf
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://go.recordedfuture.com/hubfs/reports/fr-2018-0214.pdfDDG:
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://go.recordedfuture.com/hubfs/reports/fr-2018-0214.pdfTargeting
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://go.recordedfuture.com/hubfs/reports/fr-2018-0214.pdfurce:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/4if3HG
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/4nyX1e
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/4nyX1eAPT29
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/4nyX1eAPTnotes
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/4pTkGQ
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/5jvv9q
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/7jGkpV
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/7yKyOj
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/7yKyOjq
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/8LbqZ9
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/8LbqZ9Bronze
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/8LbqZ9IB
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/8U6fY2
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/8U6fY23e91f399d207178a5aa6de3d680b58fc3f239004e541a8bff2cc3e851b76e8bb0914f9fbdac67cd
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/9DNn8q
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/AW9Cuu
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/BSQWzw
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/BvYurS
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/CX3KaY
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/CpfJQQ
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/CywXnS
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/CywXnS3f23d152cc7badf728dfd60f6baa5c861a500630nS10586913ceeecd408da4e656c29ed4e91c6b7
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/E4qia9
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/HG2j5T
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/HZ5XMN
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/JAHZVL
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/JAlw3s
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/JQVfFP
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/L9g9eR
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/L9g9eR0
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/L9g9eRIRC
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/L9g9eRMiddle
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/L9g9eRP
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/L9g9eRp
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/LXeeW70face841f7b2953e7c29c064d6886523W7APT28
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/LXeeW77e68371ba3a988ff88e0fb54e2507f0d0529b1d393f405bc2b2b33709dd571539fea62c042a8eda
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/LXeeW7APT28
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/MSJCxP
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/MZ7dRg
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/Mr6M2J
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/N5MEj0
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/Nbqbt6
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/OOB3mH
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/OkB63qFidelis
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/PChE1z
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/Pg3P4W
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/QMRZ8K
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/QaOh4V
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/Qew6dT
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/RLf9qU
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/RvDwwA
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/SjQhlp
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/VbvJtL
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/VdrwgR
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/WVflzO
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/Z292v6
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/Z3JUAA
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/eFoP4A
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/ffeCfd
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/h6iaGj
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/hDQizk(w
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/hDQizk036EB11A5751C77BC65006769921C8E5;Bots
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/hDQizk1CCC528390573062FF2311FCFD555064;Data-Stealing
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/hDQizk3A25847848C62C4F2DCA67D073A524AE;Destover
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/hDQizk8
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/hDQizk80
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxY
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxY23d.exe
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxY89d.exe
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxYAbg.exe
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxYConEmu.exe
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxYFile.dll
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxYNoodles.exe
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxYOrange
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxYPort.dll
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxYSession.dll
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxYShell.dll
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxYSocks.dll
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxYY
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxYf3e3e25a822012023c6e81b206711865Energetic
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/i3prxYrk
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/iqH8CK
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/jKIfGB
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/jhJWRpUpdateproxy.dll
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/joxXHF
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/jp2SkT
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/p32Ozf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/pTffPA
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/puVc9q
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/qScSrE
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/qeBHsr
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/rW1yvZ
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/snc85M
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/t3uUTG
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/t3uUTGMofang
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/t3uUTGTROJ_WERDLOD:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/tcSoiJ
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/tezXZt
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/th5q2vGMicrosoft
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/uAic1X
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/urp4CD
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/v3ebal
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/vtQoCQ
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/vtQoCQProject
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/wt1xlh
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/wt1xlhD1C27EE7CE18675974EDF42D4EEA25C6;Destover
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/wt1xlhProject
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/wt1xlhROKRAT
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/wt1xlhTROJ_WERDLOD:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/x81cSy
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/xnKTgt
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/xnKTgt.p9
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/xnKTgtrk
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/zPsn83
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/zRf5V8
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/zRf5V83da8e94c6d1efe2a039f49a1e748df5eef01af5aV8The
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/zRf5V84bdd366d8ee35503cf062ae22abe5a4a2d8d8907V8The
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/zRf5V85c52996d9f68ba6fd0da4982f238ec1d279a7f9d8839d3e213717b88a06ffc48827929891a10059
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://goo.gl/zRf5V8The
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: https://hazmalware.blogspot.co.uk/2016/12/analysis-of-august-stealer-malware.htm
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://heimdalsecurity.com/blog/security-alert-adwind-rat-targeted-attacks-zero
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://ics-cert.kaspersky.com/2016/12/16/spear-phishing-attack-hits-industrial-
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://ics-cert.kaspersky.com/2016/12/16/spear-phishing-attack-hits-industrial-8
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://ics-cert.kaspersky.com/2016/12/16/spear-phishing-attack-hits-industrial-Iranian
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://ics-cert.kaspersky.com/2016/12/16/spear-phishing-attack-hits-industrial-Spear
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmpString found in binary or memory: https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118Dark
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118New
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://iranthreats.github.io/resources/human-rights-impersonation-malware/
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://iranthreats.github.io/resources/human-rights-impersonation-malware/MALWARE
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: https://iranthreats.github.io/resources/macdownloader-macos-malware/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://isc.sans.edu/diary/Analysis
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://isc.sans.edu/diary/Tomcat
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: https://isc.sans.edu/forums/diary/Adwind
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://isc.sans.edu/forums/diary/Malspam
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://isc.sans.edu/forums/diary/NemucodAES
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://isc.sans.edu/forums/diary/Sage
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://issp.ua/issp_system_images/Crystal_Finance_Millennium_CyberAttack_EN.pdf
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://issp.ua/issp_system_images/Crystal_Finance_Millennium_CyberAttack_EN.pdfSednit
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://issp.ua/issp_system_images/Crystal_Finance_Millennium_CyberAttack_EN.pdfUkranian
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://kasperskycontenthub.com/securelist/?p=75237
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/themysteryoft
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/theteamspysto
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-t
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-tA
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-tPlatinum
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-tWinnti
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/2016/05/inside-the-million-machine-clickfraud-botne
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/2013/04/MiniDuke_Paper
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insid
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insid0Operation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insid1Operation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insid2Operation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insid3Operation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insid4Operation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidIOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidOperation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidROperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidTOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidVOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidXOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidb3Operation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insiddOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insideOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidfOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidlOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidlienVault
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidoOperation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidrOperation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidsOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidtOperation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidzOperation
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summi
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summiDridex
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://labsblog.f-secure.com/2015/11/24/wonknu-a-spy-for-the-3rd-asean-us-summiWonknu:
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applican
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmpString found in binary or memory: https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applican.
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applican.P
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicanMONSOON
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicanQarallax
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://login.yahoo.com/config/login
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://logrhythm.com/pdfs/threat-research/logrhythm-labs-oilrig-campaign-analys
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: https://map.blueliv.com
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmpString found in binary or memory: https://maps.blueliv.com
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://matt.ucc.asn.au/dropbear/dropbear.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://medium.com/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://minergate.com/faq/what-pool-address
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://mlwre.github.io/2015/12/11/Derkziel-Sofware.html
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://mlwre.github.io/2015/12/11/Derkziel-Sofware.html25e4d8354c882eaea94b52039a96cc6d969a2dec8486
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://mlwre.github.io/2015/12/11/Derkziel-Sofware.htmlDerkziel
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmpString found in binary or memory: https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.html
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.html/Disrupting
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.html/Operation
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.htmlAlmanah
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.htmlOperation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.htmlRoki
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.htmls/Operation
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/another-spoofed-hmrc-company-excel-documents-deli
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/another-spoofed-hmrc-company-excel-documents-deliSpoofed
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/another-spoofed-hmrc-company-excel-documents-deliTargeted
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/fake-efax-delivers-trickbot-banking-trojan/
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/fake-efax-delivers-trickbot-banking-trojan/Fake
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/fake-efax-delivers-trickbot-banking-trojan/New
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/fake-swift-copy-notification-payment-slip-malspam
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/fake-swift-copy-notification-payment-slip-malspamFake
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/fake-swift-copy-notification-payment-slip-malspamench
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/invoice-notification-with-id-number-40533-deliver
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/more-fake-receipts-and-payment-receipt-emails-delGlobe
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/more-fake-receipts-and-payment-receipt-emails-delThe
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/new-powershell-ransomware-coming-in-malspam-email
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/new-powershell-ransomware-coming-in-malspam-emailPowerShell
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/new-powershell-ransomware-coming-in-malspam-emailSandworm
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/scanned-image-from-mx-2600n-with-password-protect
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/scanned-image-from-mx-2600n-with-password-protectScanned
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/scanned-image-from-mx-2600n-with-password-protectTurlas
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/spoofed-hsbc-account-secure-documents-malspam-del
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/spoofed-rfq-quotation-from-sino-heavy-machinery-c
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/spoofed-uk-fuels-collection-malspam-delivers-malw
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/spoofed-uk-fuels-collection-malspam-delivers-malwSpoofed
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/spoofed-uk-fuels-collection-malspam-delivers-malwThe
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/the-return-of-locky-with-fake-invoice-emails/
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/trickbot-downloaded-via-vbs-email-blank-subject-n
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://myonlinesecurity.co.uk/trickbot-downloaded-via-vbs-email-blank-subject-nMultiple
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://mzultra.wordpress.com/2014/05/06/c654645ff44bbaa41e5b77be8889f5e5/
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://mzultra.wordpress.com/2014/05/06/c654645ff44bbaa41e5b77be8889f5e5/Pcoka
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-r
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-rFlokibot
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-or
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://niebezpiecznik.pl/post/jak-przeprowadzono-atak-na-knf-i-polskie-banki-orFrom
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://nioguard.blogsp
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://nioguard.blogspXData
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf
Source: vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmpString found in binary or memory: https://objective-see.com/blog/blog_0x0E.html
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: https://objective-see.com/blog/blog_0x17.html
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://objective-see.com/blog/blog_0x17.htmlFinding
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://objective-see.com/blog/blog_0x17.htmlSPEAR:
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://objective-see.com/blog/blog_0x18.html
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://objective-see.com/blog/blog_0x18.htmlDing
Source: vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: https://objective-see.com/blog/blog_0x26.html
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://objective-see.com/blog/blog_0x26.htmlBadPatch
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://objective-see.com/blog/blog_0x26.htmlFurtim
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://objective-see.com/blog/blog_0x26.htmlROKRAT
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/MGAVB1uz
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/MGAVB1uzdfAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/MGAVB1uzfAPTnotes
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/Ncu00NRv
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/Ncu00NRvREGIN
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/Y7pJv3tK
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/xHLqW2ux
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/xHLqW2ux//SWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/xHLqW2ux/LSWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/xHLqW2ux56SWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/xHLqW2ux63SWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/xHLqW2ux9aSWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/xHLqW2uxSWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/xHLqW2uxbeSWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/xHLqW2uxeaThe
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/xHLqW2uxs
Source: vnwareupdate.exeString found in binary or memory: https://plusvic.github.io/yara
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://proofpoint.com/us/threat-insight/post/Not-Yet-Dead
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://proofpoint.com/us/threat-insight/post/Not-Yet-DeadContinued
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://proofpoint.com/us/threat-insight/post/Not-Yet-DeadDridex
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHas
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHas(2010)
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHas.Operation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHasThe
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/citizenlab/malware-indicators/master/201611_Ke
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/citizenlab/malware-indicators/master/201611_KeIt
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/citizenlab/malware-indicators/master/201707_In
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/citizenlab/malware-indicators/master/201707_In8P
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/citizenlab/malware-indicators/master/201707_InInsider
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/citizenlab/malware-indicators/master/201707_InNew
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/fireeye/pivy-report/master/PIVY-Appendix.pdf
Source: vnwareupdate.exe, 00000003.00000003.237953574.0000000003A27000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/13
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/2564af38;APTnotes
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/29768a2452a0e3abde02
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/2abcbff517a4adb2609f
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/32172544079ff42890db
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/40b299824e34394f334b
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/4724f2b83f4181d3df47
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/4dec74bc41c581b82459
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/6b38ec36d001361edd98
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/75585c3b871405dd299d
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/7c8d63137ed7a0b365cc
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/;US
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/Bankshot
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/IoTroop
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/ac317ed78f8016d59cb4
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/b9feb1af431404d1c55e
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/c310a9c431577f348923
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/c5f97184;APTnotes
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/d3f074b70788897ae7e2
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/d8cfafa2b02b6a25bd3b
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/dc8985226b7b2c468bb8
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/e3aa12fb899cd715abbe
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/f70e18fe0dedabefe9bf
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/h
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/ho
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/k-MaudiOperation.pdf
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/s
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/1A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/5Continued
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/8A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/Cyberattack
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/aA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/gA
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/iA
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirp
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirp-
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirp285ff9c2339c8e9dbf;A
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirp29APT3
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirp5aAPT3
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirp86APT3
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpdiAPT3
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpe7APT3
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://research.checkpoint.com/apt-attack-middle-east-big-bang/
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://research.checkpoint.com/iotroop-botnet-full-investigation/
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://research.checkpoint.com/iotroop-botnet-full-investigation/.pBRONZE
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://research.checkpoint.com/iotroop-botnet-full-investigation/01IoTroop
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://research.checkpoint.com/iotroop-botnet-full-investigation/IoTroop
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://research.checkpoint.com/iotroop-botnet-full-investigation/arIoTroop
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://research.checkpoint.com/iotroop-botnet-full-investigation/ark-MaudiOperation.pdf
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://research.checkpoint.com/iotroop-botnet-full-investigation/raIoTroop
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-ba
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-baPTCyber
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-badfThe
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-baseThe
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-bateThe
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/Paranoid
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-malspam-targeting-bra
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-malspam-targeting-braMalspam
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-malspam-targeting-braNemucodAES
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-v00OilRig
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-vCerber
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-vOilRig
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-vTargeted
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-vTemp.Periscope
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-vTriton
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-tro
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-troSpyDealer:
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-The
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-Tick
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-pers
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persTwoFace
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-cont8
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-contDefaulting
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-contThe
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/08/unit42-the-curious-case-of-n
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/08/unit42-the-curious-case-of-nScanned
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/08/unit42-the-curious-case-of-nThe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-at
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-lay
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-lay7e94;APTnotes
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layAnalyzing
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-lay_Analyzing
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-ta
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-taBotnet
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-taHoeflerText
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-CVE-2017-8759:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-Threat
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/BadPatch
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/New
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/Operation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/Paranoid
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/e
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targe
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targe9Skygofree:
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeFreeMilk:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeMSkygofree:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targecSkygofree:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targelFreeMilk:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targetFreeMilk:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-c
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeuSkygofree:
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-at
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-atInsider
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-atOilRig
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-d
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targe
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeFormBook
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeTargeted
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta18Muddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta1dMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta2eTrickbot
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta3
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta31Muddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta54Trickbot
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta7dMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-taLockCrypt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta_cMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-ta_oMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-taa4Muddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-taafMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tab1Muddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tab5Muddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tabfMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tac0Muddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tac62ef8;APTnotes
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tac7Trickbot
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tad2787b;APTnotes
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tadiMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tameMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-tatoMuddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-taw_Muddying
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discove
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties0New
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties1BEBLOH
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties1New
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties6New
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesTNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesaNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesbNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiescNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesdNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tieseNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesfNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesiNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesoNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesomise.pdf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tiesseNew
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-c
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-cIOilRig
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-cPDF
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-operation-blockbuster
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-operation-blockbusterNew
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-operation-blockbusterOperation
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-operation-blockbusterer
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploit
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploit4Recent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploit5Recent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploit92Recent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploit9Recent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploit_Recent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploitcRecent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploitdRecent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploiteRecent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploitiRecent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploitoEvasive
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploitoRecent
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-ea
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-eaThe
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-eaUBoatRAT
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/12/unit42-master-channel-the-bo
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/12/unit42-master-channel-the-bo2Muddying
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2017/12/unit42-master-channel-the-boMaster
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-targ
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-targComnie
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-targrComnie
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-iot-malware-evolves-h
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-iot-malware-evolves-hIoT
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-iot-malware-evolves-hNorth
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-cr
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-crLarge
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-ii
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iiOilRig
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iicLarge
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-m
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/-PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis//PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/0PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/1PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/2PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/3PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/4PowerStager
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/5PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/6PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/7PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/8PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/Carbanak
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/EPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/PowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/VnPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/aPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/bPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/cPowerStager
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/ePowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/fOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/fPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/iPowerStager
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/oPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/sPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/tPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/uPowerStager
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/usPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/wPowerStager
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/xPowerStager
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-a
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-aKovter
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-aThe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-mi
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-cus
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukr
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entiti
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-servic
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-u
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-t
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmini
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://s.tencent.com/research/report/471.html
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://sec0wn.blogspot.ae/2017/10/knock-knock-knocking-on-ehdoor-curious.html
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://sec0wn.blogspot.ae/2017/10/knock-knock-knocking-on-ehdoor-curious.htmlKnock
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://sec0wn.blogspot.ae/2017/10/knock-knock-knocking-on-ehdoor-curious.htmlSurtr:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://sec0wn.blogspot.ae/2017/10/knock-knock-knocking-on-ehdoor-curious.htmlThreat
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.htm
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.htmContinued
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://sec0wn.blogspot.com/2017/10/continued-activity-targeting-middle-east.htmThe
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/78674/sambacry-is-coming/
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/0A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/1A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/2A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/3A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/5A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/6A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/6SamSam
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/7A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/8A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/9A
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/A
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/MA
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/SA
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/Sample
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/Sednit
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/bA
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/cA
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/fA
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/a-slice-of-2017-sofacy-activity/83930/s
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/analysis/publications/36462/stuxnetduqu-the-evolution-of-
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsin
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsin.p
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsin8
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinHellsing
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsinWinnti
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/analysis/publications/69953/the-naikon-apt/
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/analysis/publications/69953/the-naikon-apt/Citadel
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/analysis/publications/69953/the-naikon-apt/GlobeImposter
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/analysis/publications/69953/the-naikon-apt/The
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/analysis/publications/72087/the-shade-encryptor-a-double-
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/apt-slingshot/84312/
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/apt-slingshot/84312/.
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/apt-slingshot/84312/Bronze
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/apt-slingshot/84312/SlingShot
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/apt-trends-report-q2-2017/79332/Dridex
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/apt-trends-report-q2-2017/79332/Greenbugs
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/atm-malware-from-latin-america-to-the-world/83836/
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/atm-malware-from-latin-america-to-the-world/83836/18Bingo
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/atm-malware-from-latin-america-to-the-world/83836/5fInside
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/atm-malware-from-latin-america-to-the-world/83836/6cBingo
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/The
Source: vnwareupdate.exe, 00000003.00000003.238209992.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-d
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-dNew
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/incidents/33208/new-version-of-osx-sabpub-confirmed-
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/incidents/57647/the-red-october-campaign/
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/incidents/57647/the-red-october-campaign/IXESHE
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/incidents/57647/the-red-october-campaign/MyKings
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/incidents/57647/the-red-october-campaign/Temp.Periscope
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/incidents/57647/the-red-october-campaign/The
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/incidents/75812/the-equation-giveaway/
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/8
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/LockPoS
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/The
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/66108/el-machete/
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/66108/el-machete/10El
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/66108/el-machete/11023296f88f88bbb77d579f5fbad02e064274264c5066
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/66108/el-machete/El
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/66108/el-machete/dEl
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-t
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/68350/the-syrian-malware-part-2-who-is-the-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/68350/the-syrian-malware-part-2-who-is-the-.
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/68350/the-syrian-malware-part-2-who-is-the-Syrian
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/68350/the-syrian-malware-part-2-who-is-the-Tibetan
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-l
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-lLegspin
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-lOilRig
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-lSkeleton
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-ga
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-gaThe
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-pla
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-plaEquationDrug
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-plaOperation
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-plaSpam
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/70087/grabit-and-the-rats/8
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/70087/grabit-and-the-rats/APT
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/70087/grabit-and-the-rats/Grabit
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/70087/grabit-and-the-rats/Trojan.Win32.Banker.NWT
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticat
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticatTheDuqu
Source: vnwareupdate.exe, 00000003.00000003.245855228.00000000039E7000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/70726/the-spring-dragon-apt/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/70726/the-spring-dragon-apt/APT1:
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/70991/games-are-over/
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/70991/games-are-over/Communities
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/70991/games-are-over/Dino
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/70991/games-are-over/Naoinstalad
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threa
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threaStrider:
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threaWild
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/(APT-C-23)
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/Jamieoliver
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/New
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-contr
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-contrOngoing
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-contrSatellite
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-contrTargeted
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/72187/coinvault-are-we-reaching-the-end-of-
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/72283/gaza-cybergang-wheres-your-ir-team/
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-Duke
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-Sofacy
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/73503/from-linux-to-windows-new-family-of-c
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/73866/atmzombie-banking-trojan-in-israeli-w
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/73866/atmzombie-banking-trojan-in-israeli-wATMZombie:
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/73866/atmzombie-banking-trojan-in-israeli-wLocky
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/74063/the-return-of-hackingteam-with-new-im
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/74063/the-return-of-hackingteam-with-new-imOngoing
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/74063/the-return-of-hackingteam-with-new-imThe
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/75040/lurk-banker-trojan-exclusively-for-ru
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/75328/the-dropping-elephant-actor/
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/75384/lurk-a-danger-where-you-least-expect-
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/76318/crypy-ransomware-behind-israeli-lines
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-fr
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-frIlluminating
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-frKopiLuwak:
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/blog/sas/77908/lazarus-under-the-hood/
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/denis-and-company/83671/
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/denis-and-company/83671/Denis
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/denis-and-company/83671/Lazarus
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/denis-and-company/83671/OSX/Coldroot
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2014/07/Kaspersky_Lab_crouching_yeti_appendixes_eng
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2014/08/KL_report_syrian_malware.pdf
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2014/08/KL_report_syrian_malware.pdfSyrian
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2014/08/KL_report_syrian_malware.pdfThe
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2014/08/KL_report_syrian_malware.pdfWannaCry
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regi
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regi8
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_RegiAPT1:
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_RegiMiniduke
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_RegiRegin
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_engThe
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdfLinux
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2016/06/xDedic_marketplace_ENG.pdfTHE
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/gaza-cybergang-updated-2017-activity/82765/
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/gaza-cybergang-updated-2017-activity/82765/80
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/gaza-cybergang-updated-2017-activity/82765/A
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/gaza-cybergang-updated-2017-activity/82765/Gaza
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukrai
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/introducing-whitebear/81638/
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/introducing-whitebear/81638/Cat
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/introducing-whitebear/81638/Patchwork
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/luckymouse-ndisproxy-driver/87914/
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-m
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-mLarge
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/new-multi-platform-malwareadware-spreading-via-facebook-mNew
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/operation-applejeus/87553/
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/.
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729//
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/5F97C5EA28
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/APT
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/DCSO
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/Emissary
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ScarCruft
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/Turla
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/shadowpad-in-corporate-networks/81432/
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603-FreeMilk:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/836033Group
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/836033Skygofree:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/836035FreeMilk:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/836039FreeMilk:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603Diplomats
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603SSkygofree:
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603Skygofree:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603Spearphishing
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603aSkygofree:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603ll
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603nSkygofree:
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603uGroup
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603wSkygofree:
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-thre
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threThe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/the-silence/83009/
Source: vnwareupdate.exe, 00000003.00000003.245855228.00000000039E7000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/8
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/travle-aka-pylot-backdoor-hits-russian-speaking-targets/8n
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/MSIL/Agent.PYO
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/WAP-billing
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/wap-billing-trojan-clickers-on-rise/81576/es
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/0Zero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/2Zero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/3Zero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/4Zero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/5Zero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/7Zero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/9Zero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/CZero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/PZero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/SZero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/d
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/gZero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/hZero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/per
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/sZero-day
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securelist.com/zero-day-vulnerability-in-telegram/83800/yZero-day
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-stea
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-te
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-teDragonfly:
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-teFancyBear
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-teThreat
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/apt28-threat-group-adopts-dde-teeThreat
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw(Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw-Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw.Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw/Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw0Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw1Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw2Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw3Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw4Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw5Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw6Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw8North
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw9Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw:Gold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwCGold
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwLGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwSGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwTGold
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwTick
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwVGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwaGold
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-pe
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwdGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malweGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwfGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwgt
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwh
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwnGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwoGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwon
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwpGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwrGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwsGold
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malwuGold
Source: vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-globa
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-globaCyberespionage
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-globaLazarus
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-a
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-aLeakerLocker:
Source: vnwareupdate.exe, 00000003.00000003.245791168.00000000039A7000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeon
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeonps://goo.gl/CywXnS
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/north-korean-defectors-journalis
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/north-korean-defectors-journalis58cNorth
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/north-korean-defectors-journalisNorth
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/north-korean-defectors-journalisbGSowbug:
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/targeted-campaign-steals-credent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/targeted-campaign-steals-credentDragonfly:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/targeted-campaign-steals-credentIt
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/targeted-campaign-steals-credentMajikPOS
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://securingtomorrow.mcafee.com/mcafee-labs/targeted-campaign-steals-credentTargeted
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-repor
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-repor9Paggalangrypt.A
Source: vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmpString found in binary or memory: https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reporJenX
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://security.web.cern.ch/security/venom.shtml
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://security.web.cern.ch/security/venom.shtmlEvilBunny
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://security.web.cern.ch/security/venom.shtmlFurther
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://security.web.cern.ch/security/venom.shtmlVENOM
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://security.web.cern.ch/security/venom.shtmllVENOM
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-themlRegin
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-wa
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://securityintelligence.com/the-full-shamoon-how-the-devastating-malware-waThe
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://sfkino.tistory.com/73
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: https://spamonmove.blogspot.co.uk/2017/01/email-on-10th-jan-2017-invoice-from.ht
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://sslbl.abuse.ch/intel/6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://st.drweb.com/static/new-www/news/2016/september/Investigation_of_Linux.M
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://st.drweb.com/static/new-www/news/2016/september/Investigation_of_Linux.MInvestigation
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://st.drweb.com/static/new-www/news/2016/september/Investigation_of_Linux.MThe
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://steemit.com/shadowbrokers/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://t.co/OLIj1yVJ4m
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmpString found in binary or memory: https://techhelplist.com/index.php/tech-tutorials/41-misc/444-aspr
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: https://techhelplist.com/index.php/tech-tutorials/41-misc/444-asprCVE-2017-0199:
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: https://techhelplist.com/index.php/tech-tutorials/41-misc/444-asprLinking
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://twitter.co
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/0x766c6164/status/794176576011309056
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/0xffff0800/status/1118406371165126656
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/BThurstonCPTECH/status/1128489465327030277
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ClearskySec/status/933280188733018113
Source: vnwareupdate.exe, 00000003.00000003.245855228.00000000039E7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ClearskySec/status/944926250161844224
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ClearskySec/status/944926250161844224Angler
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ClearskySec/status/944926250161844224Group5:
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ClearskySec/status/960924755355369472
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ClearskySec/status/960924755355369472MS15-078
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ClearskySec/status/960924755355369472Operation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ClearskySec/status/960924755355369472Sofacy
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ClearskySec/status/968104465818669057
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/DbgShell/status/1101076457189793793
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/DrunkBinary/status/1002587521073721346
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/DrunkBinary/status/1018448895054098432
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/DrunkBinary/status/982969891975319553
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ItsReallyNick/status/887705105239343104
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ItsReallyNick/status/975705759618158593
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/ItsReallyNick/status/980915287922040832
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/James_inthe_box/status/1072116224652324870
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/JoKe_42/status/879693258183647232
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238209992.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/JohnLaTwC/status/915590893155098629
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/JohnLaTwC/status/915590893155098629Locky
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/MarceloRivero/status/988455516094550017
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/RedDrip7/status/1145877272945025029
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/Voulnet/status/892104753295110145
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/abuse_ch/status/1145697917161934856
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/asfakian/status/1044859525675843585
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/blu3_team/status/955971742329135105
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/buffaloverflow/status/907728364278087680
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/buffaloverflow/status/908455053345869825
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/crai
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/crai(APT-C-23)
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/craiPetya
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/craiu/status/900314063560998912
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/craiu/status/959477129795731458
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/cyb3rops/sta
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/cyb3rops/status/1097423665472376832
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/cyb3rops/status/1097423665472376832ASCS
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/cyb3rops/status/1097423665472376832Bronze
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/cyb3rops/status/1097423665472376832Temp.Periscope
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/cyb3rops/status/1129647994603790338
Source: vnwareupdate.exe, 00000003.00000003.237953574.0000000003A27000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/cyb3rops/status/945588042080899072
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237233008.00000000036C1000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/cyb3rops/status/9455880420808990728
Source: vnwareupdate.exe, 00000003.00000003.237440903.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/cyb3rops/status/9455880420808990729750018A94D020A3D16C91A9495A7EC0;Data-Stealing
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/cyb3rops/status/945588042080899072Further
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/cyb3rops/status/945588042080899072Lazarus
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/cyb3rops/status/945588042080899072e
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/cyberintproject/status/961714165550342146
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/danielhbohannon/status/877953970437844993
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/danielhbohannon/status/905096106924761088
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/demonslay335/status/876940273212895234
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/demonslay335/status/876940273212895234Ding
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/demonslay335/status/876940273212895234Karagany.B
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/demonslay335/status/876940273212895234New
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/demonslay335/status/876940273212895234Pcoka
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/eya
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/eyaBanking
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/eyaNaoinstalad
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/eyaNew
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/eyad312ff06187c93d12dd5f1d0;FannyWorm
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/eyalsela/status/882497460102365185
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/eyalsela/status/885893685325574144Continued
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/eyalsela/status/885893685325574144Dimnie:
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/eyalsela/status/885893685325574144Shell
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/eyalsela/status/885893685325574144Tordow
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/eyalsela/status/900248754091167744Hellsing
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/eyalsela/status/920661179009241093
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/eyalsela/status/92066117900924109328cTurla
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/haroonmeer/status/939099379834658817
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/infosecn1nja/status/1021399595899731968?s=12
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/itaitevet/status/1141677424045953024
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/jiriatvirlab/status/822601440317345792
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/malwareforme/status/915300883012870144
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/malwrhunterteam/status/953313514629853184
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/martin_u/status/880088927595638784
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/msftmmpc/status/877396932758560768
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/mzbat/status/895811803325898753
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/omri9741/status/991942007701598208
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/pwnallthethings/status/743230570440826886?lang=en
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/securitydoggo/status/936219272002654208
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/silv0123/status/1073072691584880640
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/stamparm/status/864865144748298242
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://virustotal.com/en/file/3d8a0c2d95e023a71f44bea2d04667ee06df5fd83d71eb5df
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://virustotal.com/en/file/3d8a0c2d95e023a71f44bea2d04667ee06df5fd83d71eb5dfAlmanah
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: https://vms.dataprotection.com.ua/virus/?i=13332788&virus_name=Trojan.Inject
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://vms.drweb.com/virus/?
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://vms.drweb.com/virus/?_is=1&amp
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmpString found in binary or memory: https://vms.drweb.com/virus/?_is=1&i=15421778
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://vms.drweb.com/virus/?_is=1&i=8400823
Source: vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://vms.drweb.com/virus/?_is=1&ampAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://vms.drweb.com/virus/?_is=1&ampAndroid
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://vms.drweb.com/virus/?_is=1&ampGhosts
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://vms.drweb.com/virus/?_is=1&ampLinux.Proxy.10
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://vms.drweb.com/virus/?_is=1&ampTargeted
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmpString found in binary or memory: https://vms.drweb.ru/virus/?
Source: vnwareupdate.exe, 00000003.00000002.528528109.00000000028B2000.00000004.00000001.sdmpString found in binary or memory: https://vms.drweb.ru/virus/?i=15059456
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: https://w00tsec.blogspot.fr/2016/09/luabot-malware-targeting-cable-modems.html
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://w00tsec.blogspot.fr/2016/09/luabot-malware-targeting-cable-modems.htmlDetecting
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://w00tsec.blogspot.fr/2016/09/luabot-malware-targeting-cable-modems.htmlLuaBot:
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://w00tsec.blogspot.fr/2016/09/luabot-malware-targeting-cable-modems.htmlPoS
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://w00tsec.blogspot.fr/2016/09/luabot-malware-targeting-cable-modems.htmlXAgentOSX:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://weankor.vxstream-sandbox.com/sample/6b857ef314938d37997c178ea50687a281d8ff9925f0c4e709407546
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://wikileaks.org/vault7/document/#archimedes
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://wikileaks.org/vault7/document/#archimedes.
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://wikileaks.org/vault7/document/#archimedesArchimedes
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://wikileaks.org/vault7/document/#archimedesGlobeImposter
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Ana
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researc
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researc.
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researc.p
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researc/wWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researc17WannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researc50WannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researc52WannaCry
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researc8
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researc8p
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researc96;APT10
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcAnother
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcF8WannaCry
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcThe
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcWannaCry
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcYayih
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcanWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcc.WannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researccuWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcd
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcdiWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcdoWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researce3;APT10
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurre
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurreA
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/a-north-korean-monero-cryptocurreOkiru
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/arp-spoofing-used-to-insert-malic
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/arp-spoofing-used-to-insert-malicARP
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/arp-spoofing-used-to-insert-malicUpdated
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/botnet-bruteforcing-point-of-saleAided
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/botnet-bruteforcing-point-of-saleBotnet
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/botnet-bruteforcing-point-of-saleKIVARS
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/lockcrypt-ransomware-spreading-vi
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/lockcrypt-ransomware-spreading-viLockCrypt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/lockcrypt-ransomware-spreading-viRecent
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/lockcrypt-ransomware-spreading-viYx
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-research/targeted-attacks-against-tibet-or
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcjsWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcnsWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcpsWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcryWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researctoWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researctyWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researcwrWannaCry
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/blogs/labs-researczaWannaCry
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex.
Source: vnwareupdate.exe, 00000003.00000002.551768875.0000000003D61000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex.0
Source: vnwareupdate.exe, 00000003.00000002.551768875.0000000003D61000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex.P
Source: vnwareupdate.exe, 00000003.00000002.551768875.0000000003D61000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex.p
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex/Operation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex1Operation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex2Operation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex5
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex7Operation
Source: vnwareupdate.exe, 00000003.00000003.236780975.00000000062F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.551768875.0000000003D61000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex8
Source: vnwareupdate.exe, 00000003.00000003.233493320.0000000006353000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex807
Source: vnwareupdate.exe, 00000003.00000003.233493320.0000000006353000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex88
Source: vnwareupdate.exe, 00000003.00000003.236780975.00000000062F3000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex8P5
Source: vnwareupdate.exe, 00000003.00000003.233493320.0000000006353000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-ex8p6
Source: vnwareupdate.exe, 00000003.00000003.236780975.00000000062F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233493320.0000000006353000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-exConference
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-exDragonOK
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-exMusical
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-exOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-exYiSpecter:
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-exeOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-exiOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-exmOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-exoOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-extOperation
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.alienvault.com/open-threat-exyOperation
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/additional-insights-shamoon2/
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/WannaCry
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/dirtjumpers-ddos-engine-gets-a-tune-up-
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/dirtjumpers-ddos-engine-gets-a-tune-up-From
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/dirtjumpers-ddos-engine-gets-a-tune-up-ckCommunities
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/dirtjumpers-ddos-engine-gets-a-tune-up-kCommunities
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/Digital
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/Flokibot
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/Unit
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/XAgentOSX:
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/Sofacys
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/The
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/greenbugs-dns-isms/
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/greenbugs-dns-isms/8
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/greenbugs-dns-isms/Full
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/greenbugs-dns-isms/Gryphon
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/
Source: vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/recent-poison-iv/
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delph
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphAsruex:
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/the-revolution-will-be-written-in-delphThe
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatEmbassy
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatH
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatHpW
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatIlluminating
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatNew
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatPlugX
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatRetefe
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatSecond
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-ThreatUpdated
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/11/TLP-WHITE-Fl
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/11/TLP-WHITE-FlFastPOS
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/11/TLP-WHITE-FlFlying
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.baidu.com/s?ie=utf-8&f=8&rsv_bp=0&rsv_idx=1&tn=baidu&wd=ip138
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badgu
Source: vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: https://www.bleepingcomputer.com/news/security/adware-bundle-adds-persistence-to
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.bleepingcomputer.com/news/security/adware-bundle-adds-persistence-to26Cobalt
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-d
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-uk
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukEvolution
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: https://www.bleepingcomputer.com/news/security/reyptson-ransomware-spams-your-fr
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://www.bluecoat.com/en-gb/security-blog/2015-01-20/reversing-inception-apt-
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://www.bluecoat.com/security-blog/2013-11-25/plugx-used-against-mongolian-t
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.bluecoat.com/security-blog/2013-11-25/plugx-used-against-mongolian-tPlugX
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.bluecoat.com/security-blog/2013-11-25/plugx-used-against-mongolian-tPowerSniff
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.bluecoat.com/security-blog/2015-04-09/visual-basic-script-malware-re
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.bluecoat.com/security-blog/2015-04-09/visual-basic-script-malware-rePotential
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.bluecoat.com/security-blog/2015-04-09/visual-basic-script-malware-reRTF
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.bluecoat.com/security-blog/2015-08-21/tinted-cve-decoy-spearphising-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.bluecoat.com/security-blog/2015-08-21/tinted-cve-decoy-spearphising-KeyRaider:
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.bluecoat.com/security-blog/2015-08-21/tinted-cve-decoy-spearphising-Spearphising
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: https://www.blueliv.com
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.blueliv.comAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.blueliv.comEvilBunny
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237233008.00000000036C1000.00000004.00000001.sdmpString found in binary or memory: https://www.blueliv.comFidelis
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.blueliv.comPincav
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-l
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/Fiesta
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis///Ramnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis//LRamnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/05Ramnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/15Ramnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/63Ramnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/7dSWIFT
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/Ramnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/a3Ramnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/beRamnit
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/s
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/tofsee-en/
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/tofsee-en/Cat
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.cert.pl/en/news/single/tofsee-en/Tofsee
Source: vnwareupdate.exe, 00000003.00000002.516989975.00000000021F1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245791168.00000000039A7000.00000004.00000001.sdmpString found in binary or memory: https://www.ci-project.org/blog/2017/10/1/h8ybw9lv70jigavhu46dexrlrhmow2
Source: vnwareupdate.exe, 00000003.00000003.245855228.00000000039E7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245956038.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://www.ci-project.org/blog/2017/9/11/incident-report-recent-incident-report
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://www.ci-project.org/blog/2017/9/11/incident-report-recent-incident-reportAnalysis
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://www.ci-project.org/blog/2017/9/11/incident-report-recent-incident-reportH
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://www.ci-project.org/blog/2017/9/11/incident-report-recent-incident-reportRecent
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://www.circl.lu/pub/tr-25/
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://www.contextis.com/documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.contextis.com/documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_Communities
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.contextis.com/documents/30/TA10009_20140127_-_CTI_Threat_Advisory_-_The
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-commi
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-fiel
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-fielSednit
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: https://www.crowdstrike.com/blog/french-connection-french-aerospace-focused-cve-
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: https://www.crysys.hu/skywiper/skywiper.pdf
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.crysys.hu/skywiper/skywiper.pdfTargeted
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: https://www.csis.dk/en/csis/blog/4628/
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://www.cyberscoop.com/chipotle-hack-fin7-carbanak-baja-fresh-ruby-tuesday/
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/baijiu.html
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/baijiu.htmlBAIJIU:
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/baijiu.htmlIOCS
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.El
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.Malspam
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/rawpos-malware.html
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/rawpos-malware.htmlHikit
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/rawpos-malware.htmlRawPOS
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/threat-spotlight-konni-stealthy-remote-access
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/threat-spotlight-konni-stealthy-remote-accessKONNI
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.htmlHkdoor
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.htmliSamSam
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malwareIlluminating
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/O
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/OOSX/Dok
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/OOperation
Source: vnwareupdate.exe, 00000003.00000003.237953574.0000000003A27000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/operation-cleaver-the-notepad-files
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.cylance.com/operation-cleaver-the-notepad-filesPoS
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://www.cyphort.com/eternalblue-exploit-actively-used-deliver-remote-access-
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.cyphort.com/eternalblue-exploit-actively-used-deliver-remote-access-EternalBlue
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.cyphort.com/eternalblue-exploit-actively-used-deliver-remote-access-KingKong.dll
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: https://www.cyphort.com/samba
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.cyphort.com/sambaOops
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.cyphort.com/sambaSamba
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: https://www.damballa.com/corebot-and-darknet/
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmpString found in binary or memory: https://www.damballa.com/wp-content/uploads/2015/08/Damballa_PonyUp.pdf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.dropbox.com
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://www.dshield.org/forums/diary/Example
Source: vnwareupdate.exe, 00000003.00000003.237953574.0000000003A27000.00000004.00000001.sdmpString found in binary or memory: https://www.easyaq.com/news/271075408.shtml
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-ef
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf
Source: vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslac
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://www.enterprisetimes.co.uk/201
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.enterprisetimes.co.uk/201.
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.enterprisetimes.co.uk/201Analyzing
Source: vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmpString found in binary or memory: https://www.esentire.com/news-and-events/security-advisories/kaseya-virtual-syst
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://www.esentire.com/news-and-events/security-advisories/kaseya-virtual-systl
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdfIranian
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://www.f-secure.com/documents/996508/1030745/callisto-groupGrand
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdf
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdfCOSMICDUKE
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.f-secure.com/documents/996508/1030745/cosmicduke_whitepaper.pdfUpdated
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://www.f-secure.com/documents/996508/1030745/w32_regin_stage_1.pdf
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://www.f-secure.com/weblog/archives/00002764.html
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: https://www.f-secure.com/weblog/archives/00002780.html
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmpString found in binary or memory: https://www.f-secure.com/weblog/archives/00002795.html
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://www.f-secure.com/weblog/archives/00002822.html
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.f-secure.com/weblog/archives/00002822.htmlDuke
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.f-secure.com/weblog/archives/00002822.htmlSofacy
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://www.fidelissecurity.com/sites/default/files/FTA_1013_RAT_in_a_jar.pdf
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: https://www.fidelissecurity.com/sites/default/files/FTA_1019_Ratcheting_Down_on_
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_#1020
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_ZEUS
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29The
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29Ukranian
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2012/12/to-russia-with-apt.html
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/02/operation-beebus.htmlBIFROSE
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/02/operation-beebus.htmlHangover
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/04/the-mutter-backdoor-operati
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/04/the-mutter-backdoor-operati0The
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/04/the-mutter-backdoor-operati1Neutrino
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/04/the-mutter-backdoor-operatieThe
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/04/the-mutter-backdoor-operatinThe
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/04/the-mutter-backdoor-operatisThe
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/06/trojan-apt-seinup-hitting-a
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/06/trojan-apt-seinup-hitting-aLuaBot:
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/06/trojan-apt-seinup-hitting-aTrojan.APT.Seinup
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-e
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-e.
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-eOperation
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-ePalebot
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-ePok
Source: vnwareupdate.exe, 00000003.00000003.241469453.0000000005A11000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/09/hand-me-downs-exploit-and-i
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-da
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-daOperation
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-daWinnti
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/10/evasive-tactics-terminator-
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/10/evasive-tactics-terminator-Pawn
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-DCSO
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-Illuminating
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-Tracking
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-i
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-iOperation
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-iOrcaRAT
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/02/operation-snowman-deputydogOperation
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/02/operation-snowman-deputydogRecent
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/02/operation-snowman-deputydogThe
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-t
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/07/the-little-signature-that-c
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/07/the-little-signature-that-cThe
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/07/the-little-signature-that-crB
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-Connecting
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-Spoofed
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/08/operation-poisoned-hurrican
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/aided-frame-aided-direction
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/aided-frame-aided-directionRansomware
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-back
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backByeBye
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backXSLCmd
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backesellsing
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backsOperation
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backsXSLCmd
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-ope
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handoverEquationDrug
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handoverNew
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handoverOperation
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handoverThe
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.htmlAPT
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.htmlDarkhotel
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.htmlOperation
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.htmlRSA
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.htmlMicrosoft
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.htmlTeslaCrypt
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/04/analysis_of_kriptovo.html
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html
Source: vnwareupdate.exe, 00000003.00000003.233349750.0000000006273000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.htmlNitlovePOS:
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.htmlAPT
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.htmlChina-based
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.htmlTaiwan
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.ht
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.htmlLuaBot:
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.htmlTREASUREHUNT:
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.htmlApocalypse
Source: vnwareupdate.exe, 00000003.00000003.234133131.0000000005DF3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.htmlKopiLuwak:
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.htmlUpdated
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.htmlrrrr
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/06/latest-android-overlay-malw
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/06/locky-is-back-and-asking-fo
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2016/06/resurrection-of-the-evil-mi
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/03/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/03//Nebula
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/03/APT29
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/03/Without
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.h
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.htmlBdCVE-2017-0199
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.htmlCVE-2017-0199
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.htmlMassive
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.htmlBernhardPOS
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.htmlFIN7
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlPowerShell
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.ht
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.htEPS
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.htThe
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-c
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges
Source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cStrider:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
Source: vnwareupdate.exe, 00000003.00000002.552214471.0000000003DA1000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sAttacks
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sTwoFace
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranianFake
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranianIranian
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distributeCVE-2017-8759:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distributeSurtr:
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.238209992.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distributi
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tl
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tl0Newly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tl9Newly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tldNewly
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tloNewly
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at0Attackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at1Attackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at2Attackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at4Attackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at6Attackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at7Attackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-at8Attackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-atHAttackers
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-atIPoisoning
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-atcAttackers
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-ateAttackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-atliAttackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-atpAttackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-atrAttackers
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-atuAttackers
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-e
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-e7aNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-e80New
Source: vnwareupdate.exe, 00000003.00000003.234268201.0000000006033000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-eNew
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-ed8New
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-eng
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-engMALWARE
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-engNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-eraNew
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabil
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deli
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliARITCVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliCVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliENTtCVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliE_NOCVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliRt
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deli_PRICVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-delit
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobi
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-c
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-de
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/r
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rNIC
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rThe
Source: vnwareupdate.exe, 00000003.00000003.234392495.00000000060B3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rail
Source: vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/resources/pdfs/fireeye-malware-supply-chain.pdf
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/resources/pdfs/fireeye-malware-supply-chain.pdfDisrupting
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/resources/pdfs/fireeye-malware-supply-chain.pdfFrom
Source: vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/resources/pdfs/white-papers/fireeye-operation-quantum-en
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/resources/pdfs/white-papers/fireeye-operation-quantum-enFrom
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.fireeye.com/resources/pdfs/white-papers/fireeye-operation-quantum-enOPERATION
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://www.flashpoint-intel.com/wp-content/uploads/2017/06/Flashpoint-Jaff-Rans
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://www.flashpoint-intel.com/wp-content/uploads/2017/06/Flashpoint-Jaff-RansNecurs
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://www.flashpoint-intel.com/wp-content/uploads/2017/06/Flashpoint-Jaff-RansTurla
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-securi
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-securiA
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-securiMONSOON
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://www.gov.il/he/Departments/publications/reports/rand
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: https://www.govcert.admin.ch/blog/33/the-retefe-saga
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.govcert.admin.ch/blog/33/the-retefe-sagaT0
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.govcert.admin.ch/blog/33/the-retefe-sagaThe
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: https://www.guardicore.com/2016/06/the-photominer-campaign/
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://www.guardicore.com/2016/10/the-oracle-of-delphi-steal-your-credentials/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.hackcon.org/wp-content/uploads/2015/02/Foredrag01.pdf
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/21f68db0d05c86d382742971b8b228dc1a6b47793
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/273d718027ca1945e5aada3602f8084426936d513
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/273d718027ca1945e5aada3602f8084426936d513Andromeda
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/273d718027ca1945e5aada3602f8084426936d513New
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/273d718027ca1945e5aada3602f8084426936d513WannaCry
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/6a48b5211b622ffe49ae4e32ada72bb4d9db40576
Source: vnwareupdate.exe, 00000003.00000003.241963093.0000000005611000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/788e91b3eaa67ec6f755c9c2afc682b830282b110
Source: vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/9ed5d45130547cc1df21aafae4d90e35587c0de97
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/cf1568bcf5f43e0eb44b2e813e5d31cd6f058c698
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/cf1568bcf5f43e0eb44b2e813e5d31cd6f058c698Korean
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/cf1568bcf5f43e0eb44b2e813e5d31cd6f058c698Vacation
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/d75d19693153a36a9414f418c2498d3b49016b1e4
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/fec85e6f69f1e619fc2d68c5501e4a9f2cc813bca
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/fec85e6f69f1e619fc2d68c5501e4a9f2cc813bcaShifr
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.hybrid-analysis.com/sample/fec85e6f69f1e619fc2d68c5501e4a9f2cc813bcaShortJSRat
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.icebrg.io/blog/footprints-of-fin7-iocs
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/APT28
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://www.its.ms.gov/services/securityAlerts/11-1-2012%20Possible%20spear%20ph
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.its.ms.gov/services/securityAlerts/11-1-2012%20Possible%20spear%20phThe
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.kudelskisecurity.com/sites/default/files/sphinx_moth_cfc_report.pdf
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.kudelskisecurity.com/sites/default/files/sphinx_moth_cfc_report.pdfAPT28
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.kudelskisecurity.com/sites/default/files/sphinx_moth_cfc_report.pdfSphinx
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.lac.co.jp/lacwatch/people/20170223_001224.html
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.lac.co.jp/lacwatch/people/20170223_001224.htmlAPT10
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://www.mcafee.com/hk/resources/white-papers/wp-global-energy-cyberattacks-n
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pd
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.menlosecurity.com/blog/a-jar-full-of-problems-for-financial-services-companies
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://www.mysonicwall.com/SonicAlert/searchresults.aspx?ev=article&id=995
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.mysonicwall.com/SonicAlert/searchresults.aspx?ev=article&ampDuqu
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/alerts/turla-group-malware#quicktabs-alert_tabs2
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/alerts/turla-group-malware#quicktabs-alert_tabs22BTurla
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/alerts/turla-group-malware#quicktabs-alert_tabs2APTurla
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/alerts/turla-group-malware#quicktabs-alert_tabs2CyTurla
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/alerts/turla-group-malware#quicktabs-alert_tabs2ECTargeted
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/alerts/turla-group-malware#quicktabs-alert_tabs2pper
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/alerts/turla-group-malware#quicktabs-alert_tabs2psTurla
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grou
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grou04Turla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grou2013
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grou2aTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grou8eTurla
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grouKIVARS
Source: vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grouTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grou_cTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20groub6Turla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20groucoTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20groudfTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20groue8Turla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grouf0Turla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20groumeTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grouroTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grouseLeviathan:
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grouseTurla
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.ncsc.gov.uk/content/files/protected_files/article_files/Turla%20grouw_Turla
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdfEpic
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdfHikit
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202
Source: vnwareupdate.exeString found in binary or memory: https://www.openssl.org/docs/faq.html
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/p
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pDing
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pOcean
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-bloss
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossOPERATION
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossOperation
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.pandasecurity.com/mediacenter/pandalabs/threat-hunting-fil
Source: vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmpString found in binary or memory: https://www.pandasecurity.com/mediacenter/pandalabs/threat-hunting-fileless-atta
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.pandasecurity.com/mediacenter/pandalabs/threat-hunting-fileless-attaContinued
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.pandasecurity.com/mediacenter/pandalabs/threat-hunting-fileless-attaOlympic
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-CVE-2017-0199:
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-LeetMX
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-North
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-er
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-yberattack
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/sites/default/files/proofpoint-threat-insight-carbana
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/sites/default/files/proofpoint-threat-insight-carbanaCarbanak
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/dyre-malware-campaigners-innovate-distribution-tec
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/dyre-malware-campaigners-innovate-distribution-tecBolek:
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricksExploring
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zer
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerOops
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerTemp.Periscope
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Dyreza-Campaigners-Sights-On-F
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Dyreza-Campaigners-Sights-On-FDyre
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Dyreza-Campaigners-Sights-On-FDyreza
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Dyreza-Campaigners-Sights-On-FOngoing
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Exploit-Kit-Deja-Vu
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Exploit-Kit-Deja-VuTWO
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Exploit-Kit-Deja-VutMassive
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenser
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threa
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-ThreaDridex
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-ThreaNew
Source: vnwareupdate.exe, 00000003.00000003.235905498.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/PlugX-in-Russia
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Troj
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/abbadonpos-now-targeting-speci
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/banking-trojans-dridex-vawtrak
Source: vnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/banking-trojans-dridex-vawtrakDCSO
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-sam
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-s
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/double-dipping-diverting-ranso
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/double-dipping-diverting-ransoDouble
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/double-dipping-diverting-ransoNew
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-reci
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-reciDridex
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-reciUrsnif
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backd
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdDroidJack
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdOPERATION
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleARP
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleFin7
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscri
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappearHancitor
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappearOdinaff:
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/kovter-group-malvertising-camp
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/kovter-group-malvertising-campThe
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spea
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spea013
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spea8Leviathan:
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-speaLeviathan:
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-speaNew
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-speacLeviathan:
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-speameLeviathan:
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-speaoLeviathan:
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-CVE-2017-0199
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-Massive
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-Temp.Periscope
Source: vnwareupdate.exe, 00000003.00000003.236259168.0000000005C73000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/necurs-botnet-returns-with-upd
Source: vnwareupdate.exe, 00000003.00000003.242214739.0000000005451000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russia
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russiaNetTraveler
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russiaSednit
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-aptCampaign
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-aptOperation
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/ostap-bender-400-ways-make-pop
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/ostap-bender-400-ways-make-popAided
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/ostap-bender-400-ways-make-popKOVTER
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/ostap-bender-400-ways-make-popOstap
Source: vnwareupdate.exe, 00000008.00000003.285342005.0000000005DF3000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-troja
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-tAndroid
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/phish-scales-malicious-actor-tFlying
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-//Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-/LSmominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-02Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-33Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-82Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-a3Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-beSmominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-c7Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-f37Smominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-fbSmominru
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-koOilRig
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/spam-now-with-side-of-cryptxxx
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/spam-now-with-side-of-cryptxxxSpam
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/spam-now-with-side-of-cryptxxxTARGETED
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopi
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopi1#ISMDoor
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiNRecent
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopib8Turla
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopieTurla
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaignUrsnif
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clou
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clou617ba23c7a6aad88;APT
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clouCOSMICDUKE
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clouIlluminating
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clouNew
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clouTARGETED
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clouThreat
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-clouUpdated
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://www.recordedfuture.com/web-shell-analysis-part-2/
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://www.reuters.com/article/us-india-cyber-threat-idUSKCN1B80Y2
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.reuters.com/article/us-india-cyber-threat-idUSKCN1B80Y2India
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.reuters.com/article/us-india-cyber-threat-idUSKCN1B80Y2Vacation
Source: vnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpString found in binary or memory: https://www.reverse.it/sample/6995fd3a66382669a48e071033a08c9404efd30c065b54f1ab
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?envir
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-coba
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-coba0Cobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-coba5Cobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-coba6Cobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-coba8Cobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaCCobalt
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaInfrastructure
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaTCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaTDaserf
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaUCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaaCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobadCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobaeCobalt
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobafcCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobagCobalt
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobanCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobapCobalt
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobarCobalt
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: https://www.riskanalytics.com/blog/post.php?s=2017-07-07-coming-to-a-break-room-
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://www.riskanalytics.com/blog/post.php?s=2017-07-07-coming-to-a-break-room-EITest
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://www.riskanalytics.com/blog/post.php?s=2017-07-07-coming-to-a-break-room-WannaCry
Source: vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/
Source: vnwareupdate.exe, 00000003.00000003.245791168.00000000039A7000.00000004.00000001.sdmpString found in binary or memory: https://www.riskiq.com/blog/labs/cobalt-strike/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.riskiq.com/blog/labs/cobalt-strike/CCobalt
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.riskiq.com/blog/labs/cobalt-strike/FileTour
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: https://www.riskiq.com/blog/labs/fake-flash-update-watering-hole-attack/
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.riskiq.com/blog/labs/fake-flash-update-watering-hole-attack/Fake
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.riskiq.com/blog/labs/fake-flash-update-watering-hole-attack/HoeflerText
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://www.riskiq.com/blog/labs/htprat/
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/3ce763275c55e691;APT10
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/Remcos
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/bRemcos
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf.P
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf21aee5e49dfa7b39fc97f0
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf49458ab6253da1f3023266
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf7e17eea51551c8d9ece289
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf928822f67fbb3cd9c83be8
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdfThe
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdfc6e75bb6acd73bc7cf8908
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdfh
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdfhttp://goo.gl/NpJpVZ
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdfoney
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdfssom
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmpString found in binary or memory: https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/blog/chinese-threat-group-targeted-turkish-organizat
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/blog/chinese-threat-group-targeted-turkish-organizatChinese
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/blog/chinese-threat-group-targeted-turkish-organizatDressCode
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/blog/duqu
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/blog/spam-campaign-distributes-adwind-rat
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/blog/spam-campaign-distributes-adwind-ratDroidJack
Source: vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/blog/spam-campaign-distributes-adwind-ratSpam
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/bronze-unionBRONZE
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/bronze-unionContinued
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/htran8
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/htranAPTnotes
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaigns
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaigns//SamSam
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaigns/fSamSam
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaigns68dSamSam
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaigns9SamSam
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaignsSamSam
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaignsc0Recent
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaignsleSamSam
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/samsam-ransomware-campaignsrbHkdoor
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/sindigoo
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/sindigoo8
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/sindigooRecent
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/sindigooThe
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/sindigooWin32/Spy.Obator
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/skeleton-key-malware-analysis
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/skeleton-key-malware-analysisA
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/the-mirage-campaign
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignAPTnotes
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignDridex
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignFull
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignGreenbugs
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignParanoid
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignSpearphishing
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignThe
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignl
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignl13475D0FDBA8DC7A648B57B10E8296D5;Bots
Source: vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignlThe
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237373308.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/the-mirage-campaignmlGrand
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/wiper-malware-analysis-attacking-korean-finRecent
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/wiper-malware-analysis-attacking-korean-finTrojan.APT.Seinup
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.secureworks.com/research/wiper-malware-analysis-attacking-korean-finWiper
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/Teaching
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/TelsaCrypt
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/iOperation
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmpString found in binary or memory: https://www.skycure.com/blog/exaspy-commodity-android-spyware-targeting-high-lev
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-rotten-
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-rotten-Gaza
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-rotten-New
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-rotten-The
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/CVE-2017-0199-li
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/CVE-2017-0199-liNew
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/plugx-goes-to-th
Source: vnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.233075798.00000000060F3000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-coinminer
Source: vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-coinminer8
Source: vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-coinminerCoinMiner
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/O
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/O/A
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/ORoki
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/OTheDuqu
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/T
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/TAndroid
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/TRSA
Source: vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/TTelsaCrypt
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/backdoorwinnti-attackers-have-skeleton-th
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-Dragonfly:
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-OilRig
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-an
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-ixTargeted
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-m
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-sout
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-sout4Sowbug:
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-sout5Turla
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-sout8Sowbug:
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-soutSowbug:
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-soutViSowbug:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates
Source: vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/forums/bitco
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/forums/bitcoCVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/forums/bitcoVnCVE-2017-10271
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/connect/forums/bitcoVnUntangling
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/Darktrack
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/Legspin
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/Nymaim
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/Platinum
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/Regin
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/Zeus
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitep
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitep8
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepBronze
Source: vnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepComment
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepDeep
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepInComment
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepOperation
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepRegin
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepSyrian
Source: vnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepThe
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepUPS:
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepUnComment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepWeComment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepe_Comment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepesComment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepg
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepiaComment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepliComment
Source: vnwareupdate.exe, 00000003.00000002.553151421.0000000003DE1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whiteprOperation
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepraBlank
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepraComment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepraPutter
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepucComment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepucture
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepxeComment
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepybComment
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2016-0224
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-010516-1811-99
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-011214-3734-99
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-011214-3734-99Mestep
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-011607-5822-99
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-011607-5822-99Mestep
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-011607-5822-99Trulop
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-031519-0428-99
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-052206-5950-99
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-052206-5950-99663a;APT10
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-052206-5950-99Andromeda
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-052206-5950-99North
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-052206-5950-99UPS:
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-052206-5950-99WannaCry
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-052206-5950-99Zero-day
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-062915-5446-99
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-062915-5446-99Futurax
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-062915-5446-99MyKings
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-070611-0813-99
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-070611-0813-99H-Worm
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-070611-0813-99WAP-billing
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-073103-3836-99Dreambot
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-073103-3836-99Karagany.B
Source: vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2017-073103-3836-99New
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2018-021208-2435-99
Source: vnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2018-021208-2435-99Ransom.ShurL0ckr
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.symantec.com/security_response/writeup.jsp?docid=2018-021208-2435-99aOperation
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://www.theregister.co.uk/2018/01/16/arc_iot_botnet_malware/
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/blog/divide-and-conquer/
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/blog/divide-and-conquer/Rescoms
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/blog/divide-and-conquer/Unmasking
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/blog/divide-and-conquer/eraUnmasking
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/blog/divide-and-conquer/ilUnmasking
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/blog/divide-and-conquer/raUnmasking
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/blog/divide-and-conquer/reUnmasking
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/blog/khaan-quest-chinese-cyber-espionage-targeting
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/blog/khaan-quest-chinese-cyber-espionage-targetingCNACOM
Source: vnwareupdate.exe, 00000003.00000003.241767951.0000000005691000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/blog/killing-with-a-borrowed-knife-chaining-core-c
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/blog/killing-with-a-borrowed-knife-chaining-core-cRetefe
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/blog/killing-with-a-borrowed-knife-chaining-core-cYayih
Source: vnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/blog/operation-poisoned-helmand/
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/blog/where-there-is-smoke-there-is-fire-south-asia
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/china-hacks-the-peace-palace-all-your-eezs-are-bel
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.threatconnect.com/china-hacks-the-peace-palace-all-your-eezs-are-belChina
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-/EVASIVE
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-nEVASIVE
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-tRocket
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: https://www.threatstream.com/blog/three-month-frameworkpos-malware-campaign-nabs
Source: vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: https://www.tr1adx.net/intel/TIB-00002.html
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.tr1adx.net/intel/TIB-00002.htmlBBSRAT
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.tr1adx.net/intel/TIB-00002.htmlThe
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.tr1adx.net/intel/TIB-00002.htmlUnusual
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_rescoms.ai
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_rescoms.aieraRescoms
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_rescoms.aiilRescoms
Source: vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpString found in binary or memory: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_rescoms.aireRescoms
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.236671866.0000000005A91000.00000004.00000001.sdmpString found in binary or memory: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-pape
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papeIXESHE
Source: vnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpString found in binary or memory: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papeSanny
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/KOVTER-and-CERBER-on-a-One-T
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/KOVTER-and-CERBER-on-a-One-TKOVTER
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack
Source: vnwareupdate.exe, 00000003.00000003.245614299.0000000003AA7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpString found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Post-Soviet-Bank-Heists---A-
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Post-Soviet-Bank-Heists---A-Post-Soviet
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Post-Soviet-Bank-Heists---A-SYSCON
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-Macro
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT--Remote-Access-Quaverse
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2New
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Tale-of-the-Two-Payloads-%E2Tale
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit--More-lik
Source: vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpString found in binary or memory: https://www.u-toyama.ac.jp/news/2016/doc/1011.pdf
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/ncas/alerts/AA19-024A
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA14-353A?utm_source=twitterfeed&utm_medium=
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA14-353A?utm_source=twitterfeed&utm_medium=Spearphishing
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA14-353A?utm_source=twitterfeed&utm_medium=Unusual
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA14-353A?utm_source=twitterfeed&utm_medium=fSkygofree:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA17-164A6566a8c1b8b73f10205b6b1e8757cee8489e8f756e4d0ad37a314f2
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA17-164A83e7aaf52e5f567349eee880b0626e61e97dc12b8db9966faf55a99
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA17-318A
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA17-318B
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/ncas/alerts/TA18-074A
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/ncas/analysis-reports/AR18-165A
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publ
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publ3Malware
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publB5Malware
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publDownloaders
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publEvasive
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publMalware
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publThe_Mirage_Campaign.pdf
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publcMalware
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publeMalware
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD0Bankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD1Truebot.A
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD3Bankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD5Bankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD9Bankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDOBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDOThe
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD_Bankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDaBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDbBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDcBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDdBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDfBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDh
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDiBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDoBankshot
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.us-cert.gov/sites/default/files/publyMalware
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.virustotal.com/en/file/070ee4a40852b26ec0cfd79e32176287a6b9d2b15e377281d8414550a83f6496/
Source: vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpString found in binary or memory: https://www.virustotal.com/en/file/975e515bbf8828b103b05039fe86afad7da43b043d
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.virustotal.com/en/file/975e515bbf8828b103b05039fe86afad7da43b043dBBSRAT
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.virustotal.com/en/file/975e515bbf8828b103b05039fe86afad7da43b043dRussia
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://www.virustotal.com/en/ip-address/188.128.173.225/information/
Source: vnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpString found in binary or memory: https://www.virustotal.com/fr/file/740d3a1b84e274ad36c6811ee597851b279aa893de6be
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details
Source: vnwareupdate.exe, 00000003.00000003.242072217.0000000005511000.00000004.00000001.sdmpString found in binary or memory: https://www.volexity.com/blog/2014/10/09/democracy-in-hong-kong-under-attack/
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://www.volexity.com/blog/2014/10/09/democracy-in-hong-kong-under-attack/UnDemocracy
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://www.volexity.com/blog/2014/10/09/democracy-in-hong-kong-under-attack/asDemocracy
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://www.volexity.com/blog/2014/10/09/democracy-in-hong-kong-under-attack/g
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://www.volexity.com/blog/2014/10/09/democracy-in-hong-kong-under-attack/reDemocracy
Source: vnwareupdate.exe, 00000003.00000003.241994796.0000000005651000.00000004.00000001.sdmpString found in binary or memory: https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-tar
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-tarReal
Source: vnwareupdate.exe, 00000003.00000002.566831546.0000000004021000.00000004.00000001.sdmpString found in binary or memory: https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-tarRussia
Source: vnwareupdate.exe, 00000003.00000003.238306723.0000000003B67000.00000004.00000001.sdmpString found in binary or memory: https://www.votiro.com/single-post/2017/08/23/Votiro-Labs-exposed-a-new-hacking-
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.votiro.com/single-post/2017/08/23/Votiro-Labs-exposed-a-new-hacking-&#39
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.votiro.com/single-post/2017/08/23/Votiro-Labs-exposed-a-new-hacking-Campaign
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-sta
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-sta.
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-staCarbon
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-staOperation
Source: vnwareupdate.exe, 00000003.00000003.242046472.00000000055D1000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-Turlas
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/.0
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/It
Source: vnwareupdate.exe, 00000003.00000002.559056371.0000000003EA1000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/JS_POWMET
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/ppendixes.pdf8
Source: vnwareupdate.exe, 00000003.00000003.245681490.0000000003AE7000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmediaFreeMilk:
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmediaOSX/Proton
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmediacators_of_compromise
Source: vnwareupdate.exe, 00000003.00000003.245741695.0000000003A67000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-di
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diAnalyzing
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diBadRabbit
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/
Source: vnwareupdate.exe, 00000003.00000002.530463485.0000000002B4E000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/8P
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/ATMii:
Source: vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/Windigo
Source: vnwareupdate.exe, 00000003.00000003.237953574.0000000003A27000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/12/04/eset-takes-part-global-operation-disru
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/12/04/eset-takes-part-global-operation-disruDisrupting
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/12/04/eset-takes-part-global-operation-disruFancy
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfi
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfi-
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfi2ed97283c6e157eb5;AP
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfiIStrongPity2
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfiStrongPity2
Source: vnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfibStrongPity2
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/0F246A13178841F8B324CA54696F592B;Wa
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/APT
Source: vnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/C20980D3971923A0795662420063528A43D
Source: vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/Turla
Source: vnwareupdate.exe, 00000003.00000003.241724758.00000000057D1000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdfAided
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdfIndustroyer
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdfIranian
Source: vnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf.
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf.P
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdfLeakerLocker:
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdfStantinko
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdfGazing
Source: vnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdfNetwire
Source: vnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pd
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdDiplomats
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdNearly
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdSkygofree:
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpString found in binary or memory: https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdp
Source: vnwareupdate.exe, 00000003.00000003.241875314.0000000005751000.00000004.00000001.sdmpString found in binary or memory: https://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdf8
Source: vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpString found in binary or memory: https://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdfPeering
Source: vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpString found in binary or memory: https://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossier.pdfStuxnet
Source: vnwareupdate.exe, 00000003.00000003.236580164.0000000005A51000.00000004.00000001.sdmpString found in binary or memory: https://www.yumpu.com/en/document/view/55505308/the-history-of-the-darkseoul-gro
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-thre
Source: vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpString found in binary or memory: https://www.zingbox.com/blog/ploutus-d-malware-turns-atms-into-iot-devices/
Source: vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpString found in binary or memory: https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategicWatering
Source: vnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237233008.00000000036C1000.00000004.00000001.sdmpString found in binary or memory: https://www.zscaler.com/blogs/research/ispy-keyloggerfFidelis
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://www.zscaler.com/blogs/research/neutrino-malvertising-campaign-drops-gamaIThe
Source: vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpString found in binary or memory: https://www.zscaler.com/blogs/research/neutrino-malvertising-campaign-drops-gamalRetefe
Source: vnwareupdate.exe, 00000003.00000003.233308423.0000000006233000.00000004.00000001.sdmp, vnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpString found in binary or memory: https://www.zscaler.com/blogs/research/new-infostealer-trojan-uses-fiddler-proxyTWO
Source: vnwareupdate.exe, 00000003.00000003.234063890.0000000005AD1000.00000004.00000001.sdmpString found in binary or memory: https://www.zscaler.com/pdf/technicalbriefs/tb_advanced_persistent_threats.pdf
Source: vnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpString found in binary or memory: https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf
Source: vnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpString found in binary or memory: https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf8
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdfAPT30
Source: vnwareupdate.exe, 00000003.00000003.241919530.0000000005791000.00000004.00000001.sdmpString found in binary or memory: https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdfHiding
Source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpString found in binary or memory: https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdfTofsee
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://zairon.wordpress.com/2017/02/05/from-rtf-to-cobalt-strike-passing-via-fl
Source: vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpString found in binary or memory: https://zairon.wordpress.com/2017/02/05/from-rtf-to-cobalt-strike-passing-via-flFrom
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_00405205 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud:

barindex
Yara detected Quasar RATShow sources
Source: Yara matchFile source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected RevengeRATShow sources
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

barindex
Modifies existing user documents (likely ransomware behavior)Show sources
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile deleted: C:\Users\user\Desktop\SQSJKEBWDT.docxJump to behavior
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile deleted: C:\Users\user\Desktop\BNAGMGSPLO\EEGWXUHVUG.xlsxJump to behavior
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile deleted: C:\Users\user\Desktop\ZGGKNSUKOP.jpgJump to behavior
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile deleted: C:\Users\user\Desktop\PIVFAGEAAV.docxJump to behavior
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile deleted: C:\Users\user\Desktop\EEGWXUHVUG.xlsxJump to behavior
Writes a notice file (html or txt) to demand a ransomShow sources
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile dropped: C:\Users\user\Desktop\filename-iocs.txt -> decrypt\.url;60# hawkeye keylogger https://goo.gl/th5q2v\\hawkeye_keylogger_;70# kaspersky rat report https://goo.gl/th5q2v\\appdata\\roaming\\microsoft\\[^\\]{1,32}\.(exe|doc|zip);50\\audioendpointbuilder\.exe;60\\brokerinfrastructure\.exe;60\\windowsupdate\.exe;50# apt28 https://goo.gl/6xiayqmicrosoft\\mediaplayer\\updatewindws\.exe;100\\updatewindws\.exe;70\\netui\.dll;50\\edg6ef885e2\.tmp;60\\appdata\\local\\conhost\.dll;70\\application data\\conhost\.dll;70\\application data\\svchost\.exe;70\\application data\\conhost\.dll;70\\appdata\\local\\svchost\.exe;70\\appdata\\local\\conhost\.dll;70# fidelis threat advisory http://goo.gl/zjjyti\\9i86vdi3l1zi1v\\;60\\cvaniocol\.cmd;60\\flrsqgyy\.dvz;60\\ibdyambl\.vbs;60\\ouhlolswfixh$;60\\slie\.rjd$;60\\znimialt\.exe;60(temp|tmp|temp)\\cedt370r\(3\)\.exe;60(temp|tmp|temp)\\penguin\.exe;60\\microsoft\\windows\\hknswc\.exe;60\\microsoft\\windows\\appmgnt\.exe;60\\policymanager$;60\\file_127\.127\.ppt;60\\file_127\.127\.ppsx;60(tJump to dropped file

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php Author: Florian Roth
Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.436058475.0000000006B94000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - file b37.php Author: Florian Roth
Source: 00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt Author: Florian Roth
Source: 00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file shankar.php.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, type: MEMORYMatched rule: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - file h6ss.php Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects NoPowerShell hack tool Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects JQuery File Upload vulnerability CVE-2018-9206 Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects strings from FIN7 report in August 2018 Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malicious Doc from FIN7 campaign Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs a tool used in the Australian Parliament House network compromise Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs a tool used in the Australian Parliament House network compromise Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Dsniff hack tool Author: Florian Roth
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects NoPowerShell hack tool Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects JQuery File Upload vulnerability CVE-2018-9206 Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects strings from FIN7 report in August 2018 Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malicious Doc from FIN7 campaign Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs a tool used in the Australian Parliament House network compromise Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs a tool used in the Australian Parliament House network compromise Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Dsniff hack tool Author: Florian Roth
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp, type: MEMORYMatched rule: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php Author: Florian Roth
Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php Author: Florian Roth
Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - file h6ss.php Author: Florian Roth
Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - from files Shell [ci Author: unknown
Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.sh Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.asp Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-exe.vba Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.psh Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.aspx Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-exe.aspx Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.vba Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.ps1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-cmd.ps1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.hta Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects PowerShell ISESteroids obfuscation Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Reflective DLL Loader Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Reflective DLL Loader Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBScript cloaked as Favicon file used in Leviathan incident Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware from StoneDrill threat report Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware from StoneDrill threat report Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EternalRocks Malware - file taskhost.exe Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BeyondExec Remote Access Tool - file rexesvr.exe Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Pupy RAT Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects strings from OilRig malware and malicious scripts Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Industroyer related malware Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Industroyer related custom port scaner output file Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Industroyer related malware Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Industroyer related malware Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Red Sails Hacktool - Python Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware from Rehashed RAT incident Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Pupy backdoor Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Malware sample mentioned in Microcin technical report by Kaspersky Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Ysoserial Payloads Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects CactusTorch Hacktool Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Malware related to Operation Cloud Hopper - Page 25 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Tools related to Operation Cloud Hopper Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Mimipenguin Password Extractor - Linux Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Word Dropper from Proofpoint FIN7 Report Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Invoke-WmiExec or Invoke-SmbExec Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Invoke-WmiExec or Invoke-SmbExec Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file WMImplant.ps1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Osiris Device Guard Bypass - file Invoke-OSiRis.ps1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects powershell script used in Operation Wilted Tulip Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a Windows scheduled task as used in Operation Wilted Tulip Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Compiled Impacket Tools Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file elgingamble Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file cmsd Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file eggbasket Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file sambal Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file envisioncollision Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file cmsex Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file DUL Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file slugger2 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file jackpop Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file estesfox Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool set Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects output generated by EQGRP scanner.exe Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: IEC-104 Interaction Module Program Strings Author: Dragos Inc
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects cloaked Mimikatz in VBS obfuscation Author: Florian Roth
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects cloaked Mimikatz in JS obfuscation Author: Florian Roth
Source: 0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web shells - generated from file PHP1.php Author: Florian Roth
Source: 0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file h4ntu shell [powered by tsoi Author: unknown
Source: 00000013.00000003.458084749.0000000006D9C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file shankar.php.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt Author: Florian Roth
Source: 00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt Author: Florian Roth
Source: 00000013.00000003.470647242.0000000006B9B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - file b37.php Author: Florian Roth
Source: 00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - file b37.php Author: Florian Roth
Source: 00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php Author: Florian Roth
Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1 Author: Florian Roth
Source: 0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - file cmdjsp.jsp Author: Florian Roth
Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web shells - generated from file 404super.php Author: Florian Roth
Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web shells - generated from file Asp.asp Author: Florian Roth
Source: 00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt Author: Florian Roth
Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - from files Shell [ci Author: unknown
Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Volgmer malware as reported in US CERT TA17-318B Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a process injection utility that can be used ofr good and bad purposes Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Lazarus malware from incident in Dec 2017 Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Turla Agent.BTZ Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malicious obfuscated VBS observed in February 2018 Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file Scan Copy.pdf.com Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Armitage component Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Armitage component Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware sample mentioned in the Silence report on Securelist Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a command to execute PowerShell from String Author: Florian Roth
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: DLL implant, originally rights.dll and runs as a service Author: David Cannings
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1 Author: Florian Roth
Source: 0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt Author: Florian Roth
Source: 00000013.00000003.473662008.0000000006B9B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - file b37.php Author: Florian Roth
Source: 00000013.00000003.481442342.0000000006D9C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file shankar.php.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.325135478.0000000006854000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file shankar.php.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - from files Shell [ci Author: unknown
Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - file h6ss.php Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Volgmer malware as reported in US CERT TA17-318B Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a process injection utility that can be used ofr good and bad purposes Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Lazarus malware from incident in Dec 2017 Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Turla Agent.BTZ Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malicious obfuscated VBS observed in February 2018 Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file Scan Copy.pdf.com Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Armitage component Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Armitage component Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware sample mentioned in the Silence report on Securelist Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a command to execute PowerShell from String Author: Florian Roth
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: DLL implant, originally rights.dll and runs as a service Author: David Cannings
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1 Author: Florian Roth
Source: 0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - file cmdjsp.jsp Author: Florian Roth
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web shells - generated from file 404super.php Author: Florian Roth
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web shells - generated from file Asp.asp Author: Florian Roth
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file shankar.php.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.470556930.0000000006B92000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php Author: Florian Roth
Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web shells - generated from file PHP1.php Author: Florian Roth
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file h4ntu shell [powered by tsoi Author: unknown
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.sh Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.asp Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-exe.vba Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.psh Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.aspx Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-exe.aspx Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.vbs Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.vba Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.ps1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-cmd.ps1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.hta Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects PowerShell ISESteroids obfuscation Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Reflective DLL Loader Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Reflective DLL Loader Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBScript cloaked as Favicon file used in Leviathan incident Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware from StoneDrill threat report Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware from StoneDrill threat report Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EternalRocks Malware - file taskhost.exe Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BeyondExec Remote Access Tool - file rexesvr.exe Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Pupy RAT Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects strings from OilRig malware and malicious scripts Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Industroyer related malware Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Industroyer related custom port scaner output file Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Industroyer related malware Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Industroyer related malware Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Red Sails Hacktool - Python Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware from Rehashed RAT incident Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Malware sample mentioned in Microcin technical report by Kaspersky Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Ysoserial Payloads Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects CactusTorch Hacktool Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Malware related to Operation Cloud Hopper - Page 25 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Tools related to Operation Cloud Hopper Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Mimipenguin Password Extractor - Linux Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Word Dropper from Proofpoint FIN7 Report Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Invoke-WmiExec or Invoke-SmbExec Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Invoke-WmiExec or Invoke-SmbExec Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file WMImplant.ps1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Osiris Device Guard Bypass - file Invoke-OSiRis.ps1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects powershell script used in Operation Wilted Tulip Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a Windows scheduled task as used in Operation Wilted Tulip Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects hack tool used in Operation Wilted Tulip - Windows Tasks Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Compiled Impacket Tools Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file elgingamble Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file cmsd Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file eggbasket Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file sambal Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file envisioncollision Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file cmsex Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file DUL Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file slugger2 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file jackpop Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file estesfox Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Equation Group hack tool set Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EquationGroup Tool - April Leak Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects output generated by EQGRP scanner.exe Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: IEC-104 Interaction Module Program Strings Author: Dragos Inc
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects cloaked Mimikatz in VBS obfuscation Author: Florian Roth
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects cloaked Mimikatz in JS obfuscation Author: Florian Roth
Source: 0000000A.00000003.322872020.0000000006854000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file shankar.php.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - from files Shell [ci Author: unknown
Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php Author: Florian Roth
Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.464807403.0000000006D9C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file shankar.php.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.312897828.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1 Author: Florian Roth
Source: 0000000A.00000003.312897828.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Volgmer malware as reported in US CERT TA17-318B Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a process injection utility that can be used ofr good and bad purposes Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Lazarus malware from incident in Dec 2017 Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Turla Agent.BTZ Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malicious obfuscated VBS observed in February 2018 Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file Scan Copy.pdf.com Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Armitage component Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Armitage component Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware sample mentioned in the Silence report on Securelist Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a command to execute PowerShell from String Author: Florian Roth
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: DLL implant, originally rights.dll and runs as a service Author: David Cannings
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - from files Shell [ci Author: unknown
Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 00000013.00000003.435493556.0000000006B8B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - file b37.php Author: Florian Roth
Source: 00000013.00000003.435493556.0000000006B8B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Volgmer malware as reported in US CERT TA17-318B Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a process injection utility that can be used ofr good and bad purposes Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Lazarus malware from incident in Dec 2017 Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Turla Agent.BTZ Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malicious obfuscated VBS observed in February 2018 Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file Scan Copy.pdf.com Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Armitage component Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Armitage component Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware sample mentioned in the Silence report on Securelist Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unspecified malware sample Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a command to execute PowerShell from String Author: Florian Roth
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: DLL implant, originally rights.dll and runs as a service Author: David Cannings
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Web shells - generated from file PHP1.php Author: Florian Roth
Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Semi-Auto-generated - file h4ntu shell [powered by tsoi Author: unknown
Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, type: MEMORYMatched rule: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.sh Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-exe.vba Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.psh Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.aspx Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-cmd.ps1 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf-ref.ps1 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects PowerShell ISESteroids obfuscation Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Codoso APT CustomTCP Malware Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a malware sysdll.exe from the Rocket Kitten APT Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Reflective DLL Loader Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Reflective DLL Loader Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects all QuarksPWDump versions Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file create_dns_injection.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file screamingplow.sh Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file MixText.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file tunnel_state_reader Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file payload.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file eligiblecandidate.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file BUSURPER-2211-724.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file networkProfiler_orderScans.sh Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file sniffer_xml2pcap Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file BananaAid Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file config_jp1_UA.pl Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file userscript.FW Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file BUSURPER-3001-724.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file workit.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file tinyhttp_setup.sh Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file EPBA.script Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file jetplow.sh Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file sploit.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file uninstallPBD.bat Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file BICECREAM-2140 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file BFLEA-2201.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file StoreFc.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - from files sploit.py, sploit.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - from files ssh.py, telnet.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - Extrabacon exploit output Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EQGRP Toolset Firewall - Unique strings Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file kerberoast.py Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects PlugX Malware Samples from June 2016 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Venom Linux Rootkit Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects IronGate APT Malware - Step7ProSim DLL Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hack Deep Panda - lot1.tmp-pwdump Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects EternalRocks Malware - file taskhost.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Linux hack tools - file a Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Linux Port Scanner Shark Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a tool used by APT groups - file pstgdump.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a tool used by APT groups Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a tool used by APT groups - file PwDump.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects an XML that executes Mimikatz on an endpoint via MSBuild Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a process injection utility that can be used ofr good and bad purposes Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects NoPowerShell hack tool Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Pupy RAT Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT and similar malware Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Turla Agent.BTZ Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: CommentCrew Malware MiniASP APT Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: X-Agent/CHOPSTICK Implant by APT28 Author: US CERT
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Industroyer related custom port scaner output file Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Industroyer related malware Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware by Chinese APT PLA Unit 78020 - Generic Rule Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects simple Windows shell - file s3.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects simple Windows shell - file s1.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects simple Windows shell - from files s3.exe, s4.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: PassCV Malware mentioned in Cylance Report Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Turla malware (based on sample used in the RUAG APT case) Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Turla malware (based on sample used in the RUAG APT case) Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Turla malware (based on sample used in the RUAG APT case) Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Red Sails Hacktool - Python Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects an APT malware related to PutterPanda Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware from Rehashed RAT incident Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Iron Panda malware DnsTunClient - file named.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Iron Panda Malware Htran Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware from the Proofpoint CN APT ZeroT incident Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware from the Proofpoint CN APT ZeroT incident Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Malware sample mentioned in Microcin technical report by Kaspersky Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Ysoserial Payloads Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Mimikatz strings Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: FiveEyes QUERTY Malware - file 20123_cmdDef.xml Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: FiveEyes QUERTY Malware - file 20123.xml Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: FiveEyes QUERTY Malware - file 20120_cmdDef.xml Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: FiveEyes QUERTY Malware - file 20121_cmdDef.xml Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects JQuery File Upload vulnerability CVE-2018-9206 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects CactusTorch Hacktool Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects strings from FIN7 report in August 2018 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: CCProxy config known from Operation Cleaver Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Malware related to Operation Cloud Hopper - Page 25 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Tools related to Operation Cloud Hopper Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Malware Sample - maybe Regin related Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationDrug - HDD/SSD firmware operation - nls_933w.dll Author: Florian Roth @4nc4p
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Mimipenguin Password Extractor - Linux Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs a tool used in the Australian Parliament House network compromise Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs a tool used in the Australian Parliament House network compromise Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Pirpi Backdoor - and other malware (generic rule) Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Pirpi Backdoor Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a tool that can be used for privilege escalation - file folderperm.ps1 Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects a Metasploit Loader by RSMudge - file loader.exe Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Armitage component Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects APT34 PowerShell malware Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects malware sample mentioned in the Silence report on Securelist Author: Florian Roth
Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
Yara detected Xtreme RATShow sources
Source: Yara matchFile source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_00404A44
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_00406F54
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_0040677D
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02C3A220
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02C86360
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02C72310
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02C376E0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02C8AFB0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02CA9F50
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02C8B4C0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02C8A590
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02C8ADB0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02D4A220
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02D96360
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02D82310
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02D476E0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02D9AFB0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02DB9F50
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02D9B4C0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02D9A590
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02D9ADB0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02DAA220
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02DF6360
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02DE2310
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02DA76E0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02DFAFB0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02E19F50
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02DFB4C0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02DFA590
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02DFADB0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BE42F0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BAA220
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C60200
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C463F0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C4A3F0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C523B0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C4E340
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C36360
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BE2310
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C44370
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BF6360
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C4C040
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C44050
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C521C0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BD2180
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C44110
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C4A130
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C50610
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C48630
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C447C0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BD07D0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C4A7B0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C50730
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C504F0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C42440
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C64460
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C445C0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BFA590
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C425F0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C525A0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C44AF0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C42AB0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BCEA30
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C48A60
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BCEA59
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C40BC0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C52BE0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C3EBF0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C468C0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C449B0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C42930
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BD6EA0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C48E90
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C4CEB0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C06E50
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C62E70
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BFAFB0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BC8FC0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C50C10
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BFADB0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C26D80
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C34DA0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C46DB0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C64D40
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C42D70
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C432F0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C4B280
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C532B0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C07210
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C45380
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C49380
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C43396
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C43398
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C3F370
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C0737C
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BED378
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C51330
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C430C6
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C430C8
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C47080
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BED020
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C41060
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C2F010
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C43020
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C451A0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C51110
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C3F120
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C43136
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C55130
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BED6B0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C016E0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BA76E0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C49650
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C5F610
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BCF640
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C437F0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C5F790
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C45750
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C4D710
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BFB4C0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C41470
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BCF450
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C27430
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C45589
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C1B5A0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C435B0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C45510
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C51AD0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C43A40
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C5FA50
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C45A70
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C41A20
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C43BE0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C1BB80
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C63B80
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C5D8C0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C3B950
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C3F930
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C69930
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C35E70
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02B9A220
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02BD2310
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02BE6360
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02B976E0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02BEAFB0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02C09F50
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02BEB4C0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02BEADB0
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02BEA590
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02BDC5A0 appears 43 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02C5A840 appears 63 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02BD5810 appears 69 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02C65870 appears 63 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02C6A840 appears 577 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02BE99B0 appears 67 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02BDAA60 appears 34 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02CFA840 appears 63 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02E6A840 appears 63 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02BD57D0 appears 130 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02D5D470 appears 45 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02BB4570 appears 34 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02D75870 appears 63 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02DD5870 appears 63 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02BAD470 appears 45 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02BD5890 appears 43 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02BD5870 appears 398 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02C00EC0 appears 47 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02BC5870 appears 63 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02BE3160 appears 111 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02BB43E0 appears 318 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02BBD470 appears 37 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02DBD470 appears 45 times
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: String function: 02E0A840 appears 63 times
Source: GZe6EcSTpO.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GZe6EcSTpO.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GZe6EcSTpO.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: GZe6EcSTpO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat date = 2014/01/28, hash4 = 3f71175985848ee46cc13282fbed2269, hash3 = 4108f28a9792b50d95f95b9e5314fa1e, hash2 = 1d912c55b96e2efe8ca873d6040e3b30, hash1 = 513b7be8bd0595c377283a7c87b44b2e, author = Florian Roth, description = Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, score = ae025c886fbe7f9ed159f49593674832
Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: SQLMap date = 01.07.2014, author = Florian Roth, description = This signature detects the SQLMap SQL injection tool, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: PortRacer author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file PortRacer.exe, hash = 2834a872a0a8da5b1be5db65dfdef388
Source: 00000013.00000003.473985141.0000000006BA5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.428708026.0000000006BA5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.436058475.0000000006B94000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_PHP_b37 date = 2014/01/28, author = Florian Roth, description = Web Shell - file b37.php, score = 0421445303cfd0ec6bc20b3846e30ff0
Source: 00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: multiple_webshells_0015 hash3 = 38fd7e45f9c11a37463c3ded1c76af4c, hash2 = 09609851caa129e40b0d56e90dfc476c, hash1 = 44542e5c3e9790815c49d5f9beffbbf2, hash0 = 9c5bb5e3a46ec28039e8986324e42792, author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, super_rule = _wacking_php_php_1_SpecialShell_99_php_php_c100_php
Source: 00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Webshell_27_9_acid_c99_locus7s date = 2016-01-11, hash5 = bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96, hash4 = 07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a, hash3 = 960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668, hash2 = 7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549, author = Florian Roth, description = Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, hash8 = ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f, hash7 = ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f, hash6 = 5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3, reference = https://github.com/nikicat/web-malware-collection, score = 2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4
Source: 00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp, type: MEMORYMatched rule: shankar_php_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file shankar.php.php.txt, hash = 6eb9db6a3974e511b7951b8f7e7136bb
Source: 0000000A.00000003.312404128.0000000006667000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, type: MEMORYMatched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit date = 2014/01/28, author = Florian Roth, description = Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, score = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, type: MEMORYMatched rule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit author = Florian Roth, description = PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, hash = b2b797707e09c12ff5e632af84b394ad41a46fa4
Source: 00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_php_h6ss date = 2014/01/28, author = Florian Roth, description = Web Shell - file h6ss.php, score = 272dde9a4a7265d6c139287560328cd5
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_Lazagne_Gen_18 date = 2018-12-11, author = Florian Roth, description = Detects Lazagne password extractor hacktool, reference = https://github.com/AlessandroZ/LaZagne, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NoPowerShell date = 2018-12-28, hash1 = 2dad091dd00625762a7590ce16c3492cbaeb756ad0e31352a42751deb7cf9e70, author = Florian Roth, description = Detects NoPowerShell hack tool, reference = https://github.com/bitsadmin/nopowershell
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_LNX_Pnscan date = 2019-05-27, author = Florian Roth, description = Detects Pnscan port scanner, reference = https://github.com/ptrrkssn/pnscan, score =
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Netsh_PortProxy_Command date = 2019-04-20, author = Florian Roth, description = Detects a suspicious command line with netsh and the portproxy command, reference = https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy, score = 9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: VUL_JQuery_FileUpload_CVE_2018_9206 date = 2018-10-19, reference3 = https://blogs.akamai.com/sitr/2018/10/having-the-security-rug-pulled-out-from-under-you.html, author = Florian Roth, description = Detects JQuery File Upload vulnerability CVE-2018-9206, reference2 = https://github.com/blueimp/jQuery-File-Upload/commit/aeb47e51c67df8a504b7726595576c1c66b5dc2f, reference = https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_FIN7_Strings_Aug18_1 date = 2018-08-01, hash1 = b6354e46af0d69b6998dbed2fceae60a3b207584e08179748e65511d45849b00, author = Florian Roth, description = Detects strings from FIN7 report in August 2018, reference = https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_FIN7_MalDoc_Aug18_1 date = 2018-08-01, hash1 = 9c12591c850a2d5355be0ed9b3891ccb3f42e37eaf979ae545f2f008b5d124d6, author = Florian Roth, description = Detects malicious Doc from FIN7 campaign, reference = https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_PowerKatz_Feb19_1 date = 2019-02-18, author = Florian Roth, description = Detetcs a tool used in the Australian Parliament House network compromise, reference = https://twitter.com/cyb3rops/status/1097423665472376832
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_Unknown_Feb19_1 date = 2019-02-18, author = Florian Roth, description = Detetcs a tool used in the Australian Parliament House network compromise, reference = https://twitter.com/cyb3rops/status/1097423665472376832
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_APT34_PS_Malware_Apr19_1 date = 2019-04-17, hash1 = b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768, author = Florian Roth, description = Detects APT34 PowerShell malware, reference = https://twitter.com/0xffff0800/status/1118406371165126656
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_APT34_PS_Malware_Apr19_2 date = 2019-04-17, hash1 = 2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459, author = Florian Roth, description = Detects APT34 PowerShell malware, reference = https://twitter.com/0xffff0800/status/1118406371165126656
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_APT34_PS_Malware_Apr19_3 date = 2019-04-17, hash1 = 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed, author = Florian Roth, description = Detects APT34 PowerShell malware, reference = https://twitter.com/0xffff0800/status/1118406371165126656
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_Dsniff date = 2019-02-19, author = Florian Roth, description = Detects Dsniff hack tool, score = https://goo.gl/eFoP4A
Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1 date = 2019-04-13, hash1 = d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 0000000A.00000003.324847009.0000000006648000.00000004.00000001.sdmp, type: MEMORYMatched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_Lazagne_Gen_18 date = 2018-12-11, author = Florian Roth, description = Detects Lazagne password extractor hacktool, reference = https://github.com/AlessandroZ/LaZagne, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 51121dd5fbdfe8db7d3a5311e3e9c904d644ff7221b60284c03347938577eecf
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NoPowerShell date = 2018-12-28, hash1 = 2dad091dd00625762a7590ce16c3492cbaeb756ad0e31352a42751deb7cf9e70, author = Florian Roth, description = Detects NoPowerShell hack tool, reference = https://github.com/bitsadmin/nopowershell
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_LNX_Pnscan date = 2019-05-27, author = Florian Roth, description = Detects Pnscan port scanner, reference = https://github.com/ptrrkssn/pnscan, score =
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Netsh_PortProxy_Command date = 2019-04-20, author = Florian Roth, description = Detects a suspicious command line with netsh and the portproxy command, reference = https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy, score = 9b33a03e336d0d02750a75efa1b9b6b2ab78b00174582a9b2cb09cd828baea09
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: VUL_JQuery_FileUpload_CVE_2018_9206 date = 2018-10-19, reference3 = https://blogs.akamai.com/sitr/2018/10/having-the-security-rug-pulled-out-from-under-you.html, author = Florian Roth, description = Detects JQuery File Upload vulnerability CVE-2018-9206, reference2 = https://github.com/blueimp/jQuery-File-Upload/commit/aeb47e51c67df8a504b7726595576c1c66b5dc2f, reference = https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_FIN7_Strings_Aug18_1 date = 2018-08-01, hash1 = b6354e46af0d69b6998dbed2fceae60a3b207584e08179748e65511d45849b00, author = Florian Roth, description = Detects strings from FIN7 report in August 2018, reference = https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_FIN7_MalDoc_Aug18_1 date = 2018-08-01, hash1 = 9c12591c850a2d5355be0ed9b3891ccb3f42e37eaf979ae545f2f008b5d124d6, author = Florian Roth, description = Detects malicious Doc from FIN7 campaign, reference = https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_PowerKatz_Feb19_1 date = 2019-02-18, author = Florian Roth, description = Detetcs a tool used in the Australian Parliament House network compromise, reference = https://twitter.com/cyb3rops/status/1097423665472376832
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_Unknown_Feb19_1 date = 2019-02-18, author = Florian Roth, description = Detetcs a tool used in the Australian Parliament House network compromise, reference = https://twitter.com/cyb3rops/status/1097423665472376832
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_APT34_PS_Malware_Apr19_1 date = 2019-04-17, hash1 = b1d621091740e62c84fc8c62bcdad07873c8b61b83faba36097ef150fd6ec768, author = Florian Roth, description = Detects APT34 PowerShell malware, reference = https://twitter.com/0xffff0800/status/1118406371165126656
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_APT34_PS_Malware_Apr19_2 date = 2019-04-17, hash1 = 2943e69e6c34232dee3236ced38d41d378784a317eeaf6b90482014210fcd459, author = Florian Roth, description = Detects APT34 PowerShell malware, reference = https://twitter.com/0xffff0800/status/1118406371165126656
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_APT34_PS_Malware_Apr19_3 date = 2019-04-17, hash1 = 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed, author = Florian Roth, description = Detects APT34 PowerShell malware, reference = https://twitter.com/0xffff0800/status/1118406371165126656
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_Dsniff date = 2019-02-19, author = Florian Roth, description = Detects Dsniff hack tool, score = https://goo.gl/eFoP4A
Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1 date = 2019-04-13, hash1 = d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 0000000A.00000003.316213218.0000000006859000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: SQLMap date = 01.07.2014, author = Florian Roth, description = This signature detects the SQLMap SQL injection tool, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp, type: MEMORYMatched rule: PortRacer author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file PortRacer.exe, hash = 2834a872a0a8da5b1be5db65dfdef388
Source: 0000000A.00000003.323605826.0000000006667000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.433232225.00000000052E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 00000013.00000003.413817784.00000000052A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp, type: MEMORYMatched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit date = 2014/01/28, author = Florian Roth, description = Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, score = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp, type: MEMORYMatched rule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit author = Florian Roth, description = PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, hash = b2b797707e09c12ff5e632af84b394ad41a46fa4
Source: 00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: SQLMap date = 01.07.2014, author = Florian Roth, description = This signature detects the SQLMap SQL injection tool, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: PortRacer author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file PortRacer.exe, hash = 2834a872a0a8da5b1be5db65dfdef388
Source: 0000000A.00000003.318816470.000000000688B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat date = 2014/01/28, hash4 = 3f71175985848ee46cc13282fbed2269, hash3 = 4108f28a9792b50d95f95b9e5314fa1e, hash2 = 1d912c55b96e2efe8ca873d6040e3b30, hash1 = 513b7be8bd0595c377283a7c87b44b2e, author = Florian Roth, description = Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, score = ae025c886fbe7f9ed159f49593674832
Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 00000013.00000003.481677976.0000000006BA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat date = 2014/01/28, hash4 = 3f71175985848ee46cc13282fbed2269, hash3 = 4108f28a9792b50d95f95b9e5314fa1e, hash2 = 1d912c55b96e2efe8ca873d6040e3b30, hash1 = 513b7be8bd0595c377283a7c87b44b2e, author = Florian Roth, description = Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, score = ae025c886fbe7f9ed159f49593674832
Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: SQLMap date = 01.07.2014, author = Florian Roth, description = This signature detects the SQLMap SQL injection tool, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp, type: MEMORYMatched rule: PortRacer author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file PortRacer.exe, hash = 2834a872a0a8da5b1be5db65dfdef388
Source: 0000000A.00000003.325411258.0000000006626000.00000004.00000001.sdmp, type: MEMORYMatched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_php_h6ss date = 2014/01/28, author = Florian Roth, description = Web Shell - file h6ss.php, score = 272dde9a4a7265d6c139287560328cd5
Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Fierce2 date = 01.07.2014, author = Florian Roth, description = This signature detects the Fierce2 domain scanner, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx description = Web Shell - from files Shell [ci
Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf date = 2017-02-09, hash1 = 320a01ec4e023fb5fbbaef963a2b57229e4f918847e5a49c7a3f631cb556e96c, author = Florian Roth, description = Metasploit Payloads - file msf.sh, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_2 date = 2017-02-09, hash1 = e52f98466b92ee9629d564453af6f27bd3645e00a9e2da518f5a64a33ccf8eb5, author = Florian Roth, description = Metasploit Payloads - file msf.asp, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_exe date = 2017-02-09, hash1 = 321537007ea5052a43ffa46a6976075cee6a4902af0c98b9fd711b9f572c20fd, author = Florian Roth, description = Metasploit Payloads - file msf-exe.vba, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_3 date = 2017-02-09, hash1 = 335cfb85e11e7fb20cddc87e743b9e777dc4ab4e18a39c2a2da1aa61efdbd054, author = Florian Roth, description = Metasploit Payloads - file msf.psh, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_4 date = 2017-02-09, hash1 = 26b3e572ba1574164b76c6d5213ab02e4170168ae2bcd2f477f246d37dbe84ef, author = Florian Roth, description = Metasploit Payloads - file msf.aspx, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_exe_2 date = 2017-02-09, hash1 = 3a2f7a654c1100e64d8d3b4cd39165fba3b101bbcce6dd0f70dae863da338401, author = Florian Roth, description = Metasploit Payloads - file msf-exe.aspx, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_7 date = 2017-02-09, hash1 = 425beff61a01e2f60773be3fcb74bdfc7c66099fe40b9209745029b3c19b5f2f, author = Florian Roth, description = Metasploit Payloads - file msf.vba, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_8 date = 2017-02-09, hash1 = 519717e01f0cb3f460ef88cd70c3de8c7f00fb7c564260bd2908e97d11fde87f, author = Florian Roth, description = Metasploit Payloads - file msf.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_cmd date = 2017-02-09, hash1 = 9f41932afc9b6b4938ee7a2559067f4df34a5c8eae73558a3959dd677cb5867f, author = Florian Roth, description = Metasploit Payloads - file msf-cmd.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_11 date = 2017-02-09, hash1 = d1daf7bc41580322333a893133d103f7d67f5cd8a3e0f919471061d41cf710b6, author = Florian Roth, description = Metasploit Payloads - file msf.hta, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: CVE_2017_8759_SOAP_Excel date = 2017-09-15, author = Florian Roth, description = Detects malicious files related to CVE-2017-8759, reference = https://twitter.com/buffaloverflow/status/908455053345869825, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_ISESteroids_Obfuscation date = 2017-06-23, author = Florian Roth, description = Detects PowerShell ISESteroids obfuscation, reference = https://twitter.com/danielhbohannon/status/877953970437844993, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Reflective_DLL_Loader_Aug17_1 date = 2017-08-20, hash1 = f2f85855914345eec629e6fc5333cf325a620531d1441313292924a88564e320, author = Florian Roth, description = Detects Reflective DLL Loader, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Reflective_DLL_Loader_Aug17_2 date = 2017-08-20, hash2 = b90831aaf8859e604283e5292158f08f100d4a2d4e1875ea1911750a6cb85fe0, author = Florian Roth, description = Detects Reflective DLL Loader - suspicious - Possible FP could be program crack, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score = c2a7a2d0b05ad42386a2bedb780205b7c0af76fe9ee3d47bbe217562f627fcae
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Reflective_DLL_Loader_Aug17_3 date = 2017-08-20, hash1 = d10e4b3f1d00f4da391ac03872204dc6551d867684e0af2a4ef52055e771f474, author = Florian Roth, description = Detects Reflective DLL Loader, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBScript_Favicon_File date = 2017-10-18, hash1 = 39c952c7e14b6be5a9cb1be3f05eafa22e1115806e927f4e2dc85d609bc0eb36, author = Florian Roth, description = VBScript cloaked as Favicon file used in Leviathan incident, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Backdoor_Redosdru_Jun17 date = 2017-06-04, hash1 = 4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309, author = Florian Roth, description = Detects malware Redosdru - file systemHome.exe, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: HTA_with_WScript_Shell date = 2017-06-21, author = Florian Roth, description = Detects WScript Shell in HTA, reference = https://twitter.com/msftmmpc/status/877396932758560768, license = https://creativecommons.org/licenses/by-nc/4.0/, score = ca7b653cf41e980c44311b2cd701ed666f8c1dbc
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: HTA_Embedded date = 2017-06-21, author = Florian Roth, description = Detects an embedded HTA file, reference = https://twitter.com/msftmmpc/status/877396932758560768, license = https://creativecommons.org/licenses/by-nc/4.0/, score = ca7b653cf41e980c44311b2cd701ed666f8c1dbc
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: StoneDrill date = 2017-03-07, hash3 = 69530d78c86031ce32583c6800f5ffc629acacb18aac4c8bb5b0e915fc4cc4db, hash2 = 62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260, author = Florian Roth, description = Detects malware from StoneDrill threat report, reference = https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 2bab3716a1f19879ca2e6d98c518debb107e0ed8e1534241f7769193807aac83
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: StoneDrill_VBS_1 date = 2017-03-07, hash1 = 0f4d608a87e36cb0dbf1b2d176ecfcde837070a2b2a049d532d3d4226e0c9587, author = Florian Roth, description = Detects malware from StoneDrill threat report, reference = https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EternalRocks_taskhost date = 2017-05-18, hash1 = cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30, author = Florian Roth, description = Detects EternalRocks Malware - file taskhost.exe, reference = https://twitter.com/stamparm/status/864865144748298242, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: BeyondExec_RemoteAccess_Tool date = 2017-03-17, hash1 = 3d3e3f0708479d951ab72fa04ac63acc7e5a75a5723eb690b34301580747032c, author = Florian Roth, description = Detects BeyondExec Remote Access Tool - file rexesvr.exe, reference = https://goo.gl/BvYurS, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Disclosed_0day_POCs_injector date = 2017-07-07, hash1 = ba0e2119b2a6bad612e86662b643a404426a07444d476472a71452b7e9f94041, author = Florian Roth, description = Detects POC code from disclosed 0day hacktool set, reference = Disclosed 0day Repos, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_PupyRAT_PY date = 2017-02-17, hash1 = 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, author = Florian Roth, description = Detects Pupy RAT, reference = https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: OilRig_Strings_Oct17 date = 2017-10-18, author = Florian Roth, description = Detects strings from OilRig malware and malicious scripts, reference = https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Suspicious_Script_Running_from_HTTP author = Florian Roth, description = Detects a suspicious , reference = https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 2017-08-20
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBS_dropper_script_Dec17_1 date = 2018-01-01, author = Florian Roth, description = Detects a supicious VBS script that drops an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Industroyer_Malware_1 date = 2017-06-13, hash2 = 018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81, hash1 = ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910, author = Florian Roth, description = Detects Industroyer related malware, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Industroyer_Portscan_3_Output date = 2017-06-13, author = Florian Roth, description = Detects Industroyer related custom port scaner output file, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Industroyer_Malware_4 date = 2017-06-13, hash1 = 21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561, author = Florian Roth, description = Detects Industroyer related malware, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Industroyer_Malware_5 date = 2017-06-13, hash1 = 7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad, author = Florian Roth, description = Detects Industroyer related malware, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: redSails_PY date = 2017-10-02, hash2 = 5ec20cb99030f48ba512cbc7998b943bebe49396b20cf578c26debbf14176e5e, hash1 = 6ebedff41992b9536fe9b1b704a29c8c1d1550b00e14055e3c6376f75e462661, author = Florian Roth, description = Detects Red Sails Hacktool - Python, reference = https://github.com/BeetleChunks/redsails, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Rehashed_RAT_2 date = 2017-09-08, hash1 = 49efab1dedc6fffe5a8f980688a5ebefce1be3d0d180d5dd035f02ce396c9966, author = Florian Roth, description = Detects malware from Rehashed RAT incident, reference = https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Microcin_Sample_5 date = 2017-09-26, hash1 = b9c51397e79d5a5fd37647bc4e4ee63018ac3ab9d050b02190403eb717b1366e, author = Florian Roth, description = Malware sample mentioned in Microcin technical report by Kaspersky, reference = https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = https://creativecommons.org/licenses/by-nc/4.0/, score = file
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: JS_Suspicious_Obfuscation_Dropbox date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://twitter.com/ItsReallyNick/status/887705105239343104, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: JS_Suspicious_MSHTA_Bypass date = 2017-07-19, author = Florian Roth, description = Detects MSHTA Bypass, reference = https://twitter.com/ItsReallyNick/status/887705105239343104, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: JavaScript_Run_Suspicious author = Florian Roth, description = Detects a suspicious Javascript Run command, reference = https://twitter.com/craiu/status/900314063560998912, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 2017-08-23
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Ysoserial_Payload_Spring1 date = 2017-02-04, hash5 = 95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1, hash4 = 5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c, hash3 = 8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8, hash2 = 9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a, hash1 = bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703, author = Florian Roth, description = Ysoserial Payloads - file Spring1.bin, hash7 = adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7, hash6 = 1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187, reference = https://github.com/frohoff/ysoserial, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Ysoserial_Payload date = 2017-02-04, hash5 = 747ba6c6d88470e4d7c36107dfdff235f0ed492046c7ec8a8720d169f6d271f4, hash4 = 5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c, hash3 = 1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187, hash2 = adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7, author = Florian Roth, description = Ysoserial Payloads, hash10 = 0143fee12fea5118be6dcbb862d8ba639790b7505eac00a9f1028481f874baa8, hash11 = 8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8, hash12 = bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703, hash9 = 1fea8b54bb92249203d68d5564a01599b42b46fc3a828fe0423616ee2a2f2d99, hash8 = 95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1, hash7 = 5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56, hash6 = f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929, reference = https://github.com/frohoff/ysoserial, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = f756c88763d48cb8d99e26b4773eb03814d0bd9bd467cc743ebb1479b2c4073e, super_rule = 9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Ysoserial_Payload_3 date = 2017-02-04, hash2 = 5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56, author = Florian Roth, description = Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin, reference = https://github.com/frohoff/ysoserial, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: CACTUSTORCH date = 2017-07-31, hash3 = a52d802e34ac9d7d3539019d284b04ded3b8e197d5e3b38ed61f523c3d68baa7, hash2 = 0305aa32d5f8484ca115bb4888880729af7f33ac99594ec1aa3c65644e544aea, hash1 = 314e6d7d863878b6dca46af165e7f08fedd42c054d7dc3828dc80b86a3a9b98c, author = Florian Roth, description = Detects CactusTorch Hacktool, reference = https://github.com/mdsecactivebreach/CACTUSTORCH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: OpCloudHopper_Malware_2 date = 2017-04-03, hash1 = c1dbf481b2c3ba596b3542c7dc4e368f322d5c9950a78197a4ddbbaacbd07064, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: OpCloudHopper_Malware_3 date = 2017-04-03, hash1 = c21eaadf9ffc62ca4673e27e06c16447f103c0cf7acd8db6ac5c8bd17805e39d, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: OpCloudHopper_Malware_5 date = 2017-04-03, hash1 = beb1bc03bb0fba7b0624f8b2330226f8a7da6344afd68c5bc526f9d43838ef01, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: OpCloudHopper_WmiDLL_inMemory date = 2017-04-07, author = Florian Roth, description = Malware related to Operation Cloud Hopper - Page 25, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBS_WMIExec_Tool_Apr17_1 date = 2017-04-07, hash1 = 21bc328ed8ae81151e7537c27c0d6df6d47ba8909aebd61333e32155d01f3b11, author = Florian Roth, description = Tools related to Operation Cloud Hopper, reference = https://github.com/maaaaz/impacket-examples-windows, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, modified = 2020-07-27
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Mimipenguin_SH date = 2017-04-01, author = Florian Roth, description = Detects Mimipenguin Password Extractor - Linux, reference = https://github.com/huntergregal/mimipenguin, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: POSHSPY_Malware date = 2017-07-15, author = Florian Roth, description = Detects, reference = https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: FIN7_Backdoor_Aug17 date = 2017-08-04, author = Florian Roth, description = Detects Word Dropper from Proofpoint FIN7 Report, reference = https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_SMBExec date = 2017-06-14, hash1 = 674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd, author = Florian Roth, description = Detects Invoke-WmiExec or Invoke-SmbExec, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_WMIExec_Gen_1 date = 2017-06-14, hash2 = 7565d376665e3cd07d859a5cf37c2332a14c08eb808cc5d187a7f0533dc69e07, hash1 = 140c23514dbf8043b4f293c501c2f9046efcc1c08630621f651cfedb6eed8b97, author = Florian Roth, description = Detects Invoke-WmiExec or Invoke-SmbExec, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_SMBExec_Invoke_WMIExec_1 date = 2017-06-14, hash2 = b41bd54bbf119d153e0878696cd5a944cbd4316c781dd8e390507b2ec2d949e7, author = Florian Roth, description = Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_WMIExec_Gen date = 2017-06-14, hash3 = b41bd54bbf119d153e0878696cd5a944cbd4316c781dd8e390507b2ec2d949e7, hash2 = 674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd, author = Florian Roth, description = Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 56c6012c36aa863663fe5536d8b7fe4c460565d456ce2277a883f10d78893c01
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: WMImplant date = 2017-03-24, hash1 = 860d7c237c2395b4f51b8c9bd0ee6cab06af38fff60ce3563d160d50c11d2f78, author = Florian Roth, description = Auto-generated rule - file WMImplant.ps1, reference = https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: FVEY_ShadowBrokers_Jan17_Screen_Strings date = 2017-01-08, author = Florian Roth, description = Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits, reference = https://bit.no.com:43110/theshadowbrokers.bit/post/message7/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_OSiRis date = 2017-03-27, hash1 = 19e4a8b07f85c3d4c396d0c4e839495c9fba9405c06a631d57af588032d2416e, author = Florian Roth, description = Osiris Device Guard Bypass - file Invoke-OSiRis.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_KHRAT_script date = 2017-08-31, hash1 = 8c88b4177b59f4cac820b0019bcc7f6d3d50ce4badb689759ab0966780ae32e3, author = Florian Roth, description = Rule derived from KHRAT script but can match on other malicious scripts as well, reference = https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: WiltedTulip_powershell date = 2017-07-23, hash1 = e5ee1f45cbfdb54b02180e158c3c1f080d89bce6a7d1fe99dd0ff09d47a36787, author = Florian Roth, description = Detects powershell script used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: WiltedTulip_Windows_UM_Task date = 2017-07-23, hash1 = 4c2fc21a4aab7686877ddd35d74a917f6156e48117920d45a3d2f21fb74fedd3, author = Florian Roth, description = Detects a Windows scheduled task as used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Impacket_Tools_Generic_1 date = 2017-04-07, hash5 = e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742, hash4 = ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6, hash3 = 2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1, hash2 = d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3, hash20 = 202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094, description = Compiled Impacket Tools, hash9 = 21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9, hash8 = 0f7f0d8afb230c31fe6cf349c4012b430fc3d6722289938f7e33ea15b2996e1b, hash7 = dc85a3944fcb8cc0991be100859c4e1bf84062f7428c4dc27c71e08d88383c98, hash6 = 27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364, reference = https://github.com/maaaaz/impacket-examples-windows, super_rule = 4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3, author = Florian Roth, hash10 = 4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a, hash11 = 47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d, hash12 = 7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2, hash17 = e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b, hash18 = 19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4, license = https://creativecommons.org/licenses/by-nc/4.0/, hash19 = 2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086, hash13 = 9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f, hash14 = d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7, hash15 = 8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699, hash16 = efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_Auditcleaner date = 2017-04-08, hash1 = 8c172a60fa9e50f0df493bf5baeb7cc311baef327431526c47114335e0097626, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_elgingamble date = 2017-04-08, hash1 = 0573e12632e6c1925358f4bfecf8c263dd13edf52c633c9109fe3aae059b49dd, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file elgingamble, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_cmsd date = 2017-04-08, hash1 = 634c50614e1f5f132f49ae204c4a28f62a32a39a3446084db5b0b49b564034b8, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file cmsd, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_ebbshave date = 2017-04-08, hash1 = eb5e0053299e087c87c2d5c6f90531cc1946019c85a43a2998c7b66a6f19ca4b, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_eggbasket date = 2017-04-08, hash1 = b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file eggbasket, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_sambal date = 2017-04-08, hash1 = 2abf4bbe4debd619b99cb944298f43312db0947217437e6b71b9ea6e9a1a4fec, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file sambal, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_envisioncollision date = 2017-04-08, hash1 = 75d5ec573afaf8064f5d516ae61fd105012cbeaaaa09c8c193c7b4f9c0646ea1, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file envisioncollision, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_cmsex date = 2017-04-08, hash1 = 2d8ae842e7b16172599f061b5b1f223386684a7482e87feeb47a38a3f011b810, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file cmsex, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_DUL date = 2017-04-08, hash1 = 24d1d50960d4ebf348b48b4db4a15e50f328ab2c0e24db805b106d527fc5fe8e, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file DUL, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_slugger2 date = 2017-04-08, hash1 = a6a9ab66d73e4b443a80a69ef55a64da7f0af08dfaa7e17eb19c327301a70bdf, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file slugger2, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_jackpop date = 2017-04-08, hash1 = 0b208af860bb2c7ef6b1ae1fcef604c2c3d15fc558ad8ea241160bf4cbac1519, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file jackpop, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_epoxyresin_v1_0_0 date = 2017-04-08, hash1 = eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_estesfox date = 2017-04-08, hash1 = 33530cae130ee9d9deeee60df9292c00242c0fe6f7b8eedef8ed09881b7e1d5a, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file estesfox, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_elatedmonkey_1_0_1_1 date = 2017-04-08, hash1 = bf7a9dce326604f0681ca9f7f1c24524543b5be8b6fcc1ba427b18e2a4ff9090, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup__ftshell_ftshell_v3_10_3_0 date = 2017-04-08, hash2 = 0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup__scanner_scanner_v2_1_2 date = 2017-04-08, hash2 = 9807aaa7208ed6c5da91c7c30ca13d58d16336ebf9753a5cea513bcb59de2cff, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup__ghost_sparc_ghost_x86_3 date = 2017-04-08, hash2 = 82c899d1f05b50a85646a782cddb774d194ef85b74e1be642a8be2c7119f4e33, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = d5ff0208d9532fc0c6716bd57297397c8151a01bf4f21311f24e7a72551f9bf1
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup__jparsescan_parsescan_5 date = 2017-04-08, hash2 = 942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup__funnelout_v4_1_0_1 date = 2017-04-08, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 457ed14e806fdbda91c4237c8dc058c55e5678f1eecdd78572eff6ca0ed86d33
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup__magicjack_v1_1_0_0_client date = 2017-04-08, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 63292a2353275a3bae012717bb500d5169cd024064a1ce8355ecb4e9bfcdfdd1
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup__ftshell date = 2017-04-08, hash4 = 0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_noclient_3_3_2 date = 2017-04-09, hash1 = 3cf0eb010c431372af5f32e2ee8c757831215f8836cabc7d805572bb5574fc72, author = Florian Roth, description = Equation Group hack tool set, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_Toolset_Apr17_Eternalromance date = 2017-04-15, hash2 = b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_Toolset_Apr17_Gen2 date = 2017-04-15, hash4 = 8f7e10a8eedea37ee3222c447410fd5b949bd352d72ef22ef0b2821d9df2f5ba, hash3 = f2e90e04ddd05fa5f9b2fec024cd07365aebc098593d636038ebc2720700662b, hash2 = 561c0d4fc6e0ff0a78613d238c96aed4226fbb7bb9ceea1d19bc770207a6be1e, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 7fe425cd040608132d4f4ab2671e04b340a102a20c97ffdcf1b75be43a9369b5
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_Toolset_Apr17_ntevt date = 2017-04-15, hash1 = 4254ee5e688fc09bdc72bcc9c51b1524a2bb25a9fb841feaf03bc7ec1a9975bf, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld date = 2017-04-15, hash5 = 8419866c9058d738ebc1a18567fef52a3f12c47270f2e003b3e1242d86d62a46, hash4 = 551174b9791fc5c1c6e379dac6110d0aba7277b450c2563e34581565609bc88e, hash3 = c10f4b9abee0fde50fe7c21b9948a2532744a53bb4c578630a81d2911f6105a3, hash2 = 320144a7842500a5b69ec16f81a9d1d4c8172bb92301afd07fb79bc0eca81557, hash1 = 9ab667b7b5b9adf4ff1d6db6f804824a22c7cc003eb4208d5b2f12809f5e69d0, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0 date = 2017-04-15, hash2 = 5db457e7c7dba80383b1df0c86e94dc6859d45e1d188c576f2ba5edee139d9ae, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 052e778c26120c683ee2d9f93677d9217e9d6c61ffc0ab19202314ab865e3927
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4 date = 2017-04-15, hash5 = 5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337, hash4 = c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674, hash3 = 9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556, hash2 = c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 3e181ca31f1f75a6244b8e72afaa630171f182fbe907df4f8b656cc4a31602f6
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_scanner_output date = 2017-04-17, author = Florian Roth, description = Detects output generated by EQGRP scanner.exe, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: dragos_crashoverride_moduleStrings author = Dragos Inc, description = IEC-104 Interaction Module Program Strings, reference = https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Obfuscated_VBS_April17 date = 2017-04-21, author = Florian Roth, description = Detects cloaked Mimikatz in VBS obfuscation, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Obfuscated_JS_April17 date = 2017-04-21, author = Florian Roth, description = Detects cloaked Mimikatz in JS obfuscation, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.324570617.0000000006668000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.323986177.0000000002E7D000.00000004.00000001.sdmp, type: MEMORYMatched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_webshells_new_PHP1 date = 2014/03/28, author = Florian Roth, description = Web shells - generated from file PHP1.php, score = 14c7281fdaf2ae004ca5fec8753ce3cb
Source: 0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp, type: MEMORYMatched rule: h4ntu_shell__powered_by_tsoi_ description = Semi-Auto-generated - file h4ntu shell [powered by tsoi
Source: 0000000A.00000003.313108656.0000000006641000.00000004.00000001.sdmp, type: MEMORYMatched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 00000013.00000003.458084749.0000000006D9C000.00000004.00000001.sdmp, type: MEMORYMatched rule: shankar_php_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file shankar.php.php.txt, hash = 6eb9db6a3974e511b7951b8f7e7136bb
Source: 00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: multiple_webshells_0015 hash3 = 38fd7e45f9c11a37463c3ded1c76af4c, hash2 = 09609851caa129e40b0d56e90dfc476c, hash1 = 44542e5c3e9790815c49d5f9beffbbf2, hash0 = 9c5bb5e3a46ec28039e8986324e42792, author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, super_rule = _wacking_php_php_1_SpecialShell_99_php_php_c100_php
Source: 00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Webshell_27_9_acid_c99_locus7s date = 2016-01-11, hash5 = bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96, hash4 = 07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a, hash3 = 960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668, hash2 = 7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549, author = Florian Roth, description = Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, hash8 = ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f, hash7 = ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f, hash6 = 5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3, reference = https://github.com/nikicat/web-malware-collection, score = 2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4
Source: 00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: multiple_webshells_0015 hash3 = 38fd7e45f9c11a37463c3ded1c76af4c, hash2 = 09609851caa129e40b0d56e90dfc476c, hash1 = 44542e5c3e9790815c49d5f9beffbbf2, hash0 = 9c5bb5e3a46ec28039e8986324e42792, author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, super_rule = _wacking_php_php_1_SpecialShell_99_php_php_c100_php
Source: 00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Webshell_27_9_acid_c99_locus7s date = 2016-01-11, hash5 = bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96, hash4 = 07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a, hash3 = 960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668, hash2 = 7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549, author = Florian Roth, description = Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, hash8 = ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f, hash7 = ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f, hash6 = 5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3, reference = https://github.com/nikicat/web-malware-collection, score = 2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4
Source: 00000013.00000002.524614024.000000000242B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000002.524614024.000000000242B000.00000004.00000001.sdmp, type: MEMORYMatched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 00000013.00000003.470647242.0000000006B9B000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_PHP_b37 date = 2014/01/28, author = Florian Roth, description = Web Shell - file b37.php, score = 0421445303cfd0ec6bc20b3846e30ff0
Source: 00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_PHP_b37 date = 2014/01/28, author = Florian Roth, description = Web Shell - file b37.php, score = 0421445303cfd0ec6bc20b3846e30ff0
Source: 00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, hash = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000002.552309239.00000000036C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat date = 2014/01/28, hash4 = 3f71175985848ee46cc13282fbed2269, hash3 = 4108f28a9792b50d95f95b9e5314fa1e, hash2 = 1d912c55b96e2efe8ca873d6040e3b30, hash1 = 513b7be8bd0595c377283a7c87b44b2e, author = Florian Roth, description = Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, score = ae025c886fbe7f9ed159f49593674832
Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Empire_Invoke_Shellcode date = 2015-08-06, author = Florian Roth, description = Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, reference = https://github.com/PowerShellEmpire/Empire, license = https://creativecommons.org/licenses/by-nc/4.0/, score = fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438
Source: 0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, hash = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_jsp_cmdjsp date = 2014/01/28, author = Florian Roth, description = Web Shell - file cmdjsp.jsp, score = b815611cc39f17f05a73444d699341d4
Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_sig_404super date = 2014/03/28, author = Florian Roth, description = Web shells - generated from file 404super.php, score = 7ed63176226f83d36dce47ce82507b28
Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_webshells_new_Asp date = 2014/03/28, author = Florian Roth, description = Web shells - generated from file Asp.asp, score = 32c87744ea404d0ea0debd55915010b7
Source: 00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: multiple_webshells_0015 hash3 = 38fd7e45f9c11a37463c3ded1c76af4c, hash2 = 09609851caa129e40b0d56e90dfc476c, hash1 = 44542e5c3e9790815c49d5f9beffbbf2, hash0 = 9c5bb5e3a46ec28039e8986324e42792, author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, super_rule = _wacking_php_php_1_SpecialShell_99_php_php_c100_php
Source: 00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Webshell_27_9_acid_c99_locus7s date = 2016-01-11, hash5 = bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96, hash4 = 07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a, hash3 = 960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668, hash2 = 7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549, author = Florian Roth, description = Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, hash8 = ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f, hash7 = ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f, hash6 = 5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3, reference = https://github.com/nikicat/web-malware-collection, score = 2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4
Source: 00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: SQLMap date = 01.07.2014, author = Florian Roth, description = This signature detects the SQLMap SQL injection tool, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: PortRacer author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file PortRacer.exe, hash = 2834a872a0a8da5b1be5db65dfdef388
Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Fierce2 date = 01.07.2014, author = Florian Roth, description = This signature detects the Fierce2 domain scanner, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx description = Web Shell - from files Shell [ci
Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Volgmer_Malware date = 2017-11-15, hash5 = 6dae368eecbcc10266bba32776c40d9ffa5b50d7f6199a9b6c31d40dfe7877d1, hash4 = e40a46e95ef792cf20d5c14a9ad0b3a95c6252f96654f392b4bc6180565b7b11, hash3 = eff3e37d0406c818e3430068d90e7ed2f594faa6bb146ab0a1c00a2f4a4809a5, hash2 = 8fcd303e22b84d7d61768d4efa5308577a09cc45697f7f54be4e528bbb39435b, hash1 = ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd, author = Florian Roth, description = Detects Volgmer malware as reported in US CERT TA17-318B, hash8 = 1d0999ba3217cbdb0cc85403ef75587f747556a97dee7c2616e28866db932a0d, hash7 = 53e9bca505652ef23477e105e6985102a45d9a14e5316d140752df6f3ef43d2d, hash6 = fee0081df5ca6a21953f3a633f2f64b7c0701977623d3a4ec36fff282ffe73b9, reference = https://www.us-cert.gov/ncas/alerts/TA17-318B, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: ProcessInjector_Gen date = 2018-04-23, author = Florian Roth, description = Detects a process injection utility that can be used ofr good and bad purposes, reference = https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 456c1c25313ce2e2eedf24fdcd4d37048bcfff193f6848053cbb3b5e82cd527d
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lazagne_PW_Dumper date = 2018-03-22, author = Markus Neis / Florian Roth, description = Detects Lazagne PW Dumper, reference = https://github.com/AlessandroZ/LaZagne/releases/, score =
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_shellpop_Bash date = 2018-05-18, hash1 = 36fad575a8bc459d0c2e3ad626e97d5cf4f5f8bedc56b3cc27dd2f7d88ed889b, author = Tobias Michalski, description = Detects susupicious bash command, reference = https://github.com/0x00-0x00/ShellPop
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBS_dropper_script_Dec17_1 date = 2018-01-01, author = Florian Roth, description = Detects a supicious VBS script that drops an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lazarus_Dec_17_5 date = 2017-12-20, hash1 = db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471, author = Florian Roth, description = Detects Lazarus malware from incident in Dec 2017, reference = https://goo.gl/8U6fY2, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_Turla_Agent_BTZ_Gen_1 date = 2018-06-16, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = Internal Research, score = c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Turla_Mal_Script_Jan18_1 date = 2018-01-19, hash1 = 180b920e9cea712d124ff41cd1060683a14a79285d960e17f0f49b969f15bfcc, author = Florian Roth, description = Detects Turla malicious script, reference = https://ghostbin.com/paste/jsph7, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBS_Obfuscated_Mal_Feb18_1 date = 2018-02-12, hash3 = e1765a2b10e2ff10235762b9c65e9f5a4b3b47d292933f1a710e241fe0417a74, hash2 = c5c0e28093e133d03c3806da0061a35776eed47d351e817709d2235b95d3a036, hash1 = 06960cb721609fe5a857fe9ca3696a84baba88d06c20920370ddba1b0952a8ab, author = Florian Roth, description = Detects malicious obfuscated VBS observed in February 2018, reference = https://goo.gl/zPsn83, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_ScanCopyPDF_Feb18 date = 2018-02-14, hash1 = 6f8ff26a5daf47effdea5795cdadfff9265c93a0ebca0ce5a4144712f8cab5be, author = Florian Roth, description = Auto-generated rule - file Scan Copy.pdf.com, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Armitage_msfconsole date = 2017-12-24, hash1 = 662ba75c7ed5ac55a898f480ed2555d47d127a2d96424324b02724b3b2c95b6a, author = Florian Roth, description = Detects Armitage component, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Armitage_OSX date = 2017-12-24, hash2 = b7b506f38d0553cd2beb4111c7ef383c821f04cee5169fed2ef5d869c9fbfab3, hash1 = 2680d9900a057d553fcb28d84cdc41c3fc18fd224a88a32ee14c9c1b501a86af, author = Florian Roth, description = Detects Armitage component, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Silence_malware_2 date = 2017-11-01, hash1 = 75b8f534b2f56f183465ba2b63cfc80b7d7d1d155697af141447ec7144c2ba27, author = Florian Roth, description = Detects malware sample mentioned in the Silence report on Securelist, reference = https://securelist.com/the-silence/83009/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_PSImage date = 2017-12-16, author = Florian Roth, description = Detects a command to execute PowerShell from String, reference = https://github.com/peewpw/Invoke-PSImage, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: malware_apt15_royaldll sha256 = bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d, author = David Cannings, description = DLL implant, originally rights.dll and runs as a service
Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.312268650.0000000006667000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Empire_Invoke_Shellcode date = 2015-08-06, author = Florian Roth, description = Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, reference = https://github.com/PowerShellEmpire/Empire, license = https://creativecommons.org/licenses/by-nc/4.0/, score = fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438
Source: 0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, hash = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: multiple_webshells_0015 hash3 = 38fd7e45f9c11a37463c3ded1c76af4c, hash2 = 09609851caa129e40b0d56e90dfc476c, hash1 = 44542e5c3e9790815c49d5f9beffbbf2, hash0 = 9c5bb5e3a46ec28039e8986324e42792, author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, super_rule = _wacking_php_php_1_SpecialShell_99_php_php_c100_php
Source: 00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Webshell_27_9_acid_c99_locus7s date = 2016-01-11, hash5 = bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96, hash4 = 07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a, hash3 = 960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668, hash2 = 7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549, author = Florian Roth, description = Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, hash8 = ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f, hash7 = ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f, hash6 = 5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3, reference = https://github.com/nikicat/web-malware-collection, score = 2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4
Source: 00000013.00000003.481501193.0000000006DCE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.324781029.00000000068E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.473662008.0000000006B9B000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_PHP_b37 date = 2014/01/28, author = Florian Roth, description = Web Shell - file b37.php, score = 0421445303cfd0ec6bc20b3846e30ff0
Source: 00000013.00000003.481442342.0000000006D9C000.00000004.00000001.sdmp, type: MEMORYMatched rule: shankar_php_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file shankar.php.php.txt, hash = 6eb9db6a3974e511b7951b8f7e7136bb
Source: 0000000A.00000003.325135478.0000000006854000.00000004.00000001.sdmp, type: MEMORYMatched rule: shankar_php_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file shankar.php.php.txt, hash = 6eb9db6a3974e511b7951b8f7e7136bb
Source: 00000013.00000003.463235186.0000000006E38000.00000004.00000001.sdmp, type: MEMORYMatched rule: SQLMap date = 01.07.2014, author = Florian Roth, description = This signature detects the SQLMap SQL injection tool, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.470663077.0000000006BA5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.324504797.0000000006892000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.325168966.0000000006892000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Fierce2 date = 01.07.2014, author = Florian Roth, description = This signature detects the Fierce2 domain scanner, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx description = Web Shell - from files Shell [ci
Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 0000000A.00000003.312103557.0000000006629000.00000004.00000001.sdmp, type: MEMORYMatched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 00000013.00000002.541755283.0000000002FA0000.00000004.00000040.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_php_h6ss date = 2014/01/28, author = Florian Roth, description = Web Shell - file h6ss.php, score = 272dde9a4a7265d6c139287560328cd5
Source: 00000013.00000003.477128932.00000000052EB000.00000004.00000001.sdmp, type: MEMORYMatched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Volgmer_Malware date = 2017-11-15, hash5 = 6dae368eecbcc10266bba32776c40d9ffa5b50d7f6199a9b6c31d40dfe7877d1, hash4 = e40a46e95ef792cf20d5c14a9ad0b3a95c6252f96654f392b4bc6180565b7b11, hash3 = eff3e37d0406c818e3430068d90e7ed2f594faa6bb146ab0a1c00a2f4a4809a5, hash2 = 8fcd303e22b84d7d61768d4efa5308577a09cc45697f7f54be4e528bbb39435b, hash1 = ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd, author = Florian Roth, description = Detects Volgmer malware as reported in US CERT TA17-318B, hash8 = 1d0999ba3217cbdb0cc85403ef75587f747556a97dee7c2616e28866db932a0d, hash7 = 53e9bca505652ef23477e105e6985102a45d9a14e5316d140752df6f3ef43d2d, hash6 = fee0081df5ca6a21953f3a633f2f64b7c0701977623d3a4ec36fff282ffe73b9, reference = https://www.us-cert.gov/ncas/alerts/TA17-318B, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: ProcessInjector_Gen date = 2018-04-23, author = Florian Roth, description = Detects a process injection utility that can be used ofr good and bad purposes, reference = https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 456c1c25313ce2e2eedf24fdcd4d37048bcfff193f6848053cbb3b5e82cd527d
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lazagne_PW_Dumper date = 2018-03-22, author = Markus Neis / Florian Roth, description = Detects Lazagne PW Dumper, reference = https://github.com/AlessandroZ/LaZagne/releases/, score =
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_shellpop_Bash date = 2018-05-18, hash1 = 36fad575a8bc459d0c2e3ad626e97d5cf4f5f8bedc56b3cc27dd2f7d88ed889b, author = Tobias Michalski, description = Detects susupicious bash command, reference = https://github.com/0x00-0x00/ShellPop
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBS_dropper_script_Dec17_1 date = 2018-01-01, author = Florian Roth, description = Detects a supicious VBS script that drops an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lazarus_Dec_17_5 date = 2017-12-20, hash1 = db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471, author = Florian Roth, description = Detects Lazarus malware from incident in Dec 2017, reference = https://goo.gl/8U6fY2, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_Turla_Agent_BTZ_Gen_1 date = 2018-06-16, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = Internal Research, score = c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Turla_Mal_Script_Jan18_1 date = 2018-01-19, hash1 = 180b920e9cea712d124ff41cd1060683a14a79285d960e17f0f49b969f15bfcc, author = Florian Roth, description = Detects Turla malicious script, reference = https://ghostbin.com/paste/jsph7, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBS_Obfuscated_Mal_Feb18_1 date = 2018-02-12, hash3 = e1765a2b10e2ff10235762b9c65e9f5a4b3b47d292933f1a710e241fe0417a74, hash2 = c5c0e28093e133d03c3806da0061a35776eed47d351e817709d2235b95d3a036, hash1 = 06960cb721609fe5a857fe9ca3696a84baba88d06c20920370ddba1b0952a8ab, author = Florian Roth, description = Detects malicious obfuscated VBS observed in February 2018, reference = https://goo.gl/zPsn83, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_ScanCopyPDF_Feb18 date = 2018-02-14, hash1 = 6f8ff26a5daf47effdea5795cdadfff9265c93a0ebca0ce5a4144712f8cab5be, author = Florian Roth, description = Auto-generated rule - file Scan Copy.pdf.com, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Armitage_msfconsole date = 2017-12-24, hash1 = 662ba75c7ed5ac55a898f480ed2555d47d127a2d96424324b02724b3b2c95b6a, author = Florian Roth, description = Detects Armitage component, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Armitage_OSX date = 2017-12-24, hash2 = b7b506f38d0553cd2beb4111c7ef383c821f04cee5169fed2ef5d869c9fbfab3, hash1 = 2680d9900a057d553fcb28d84cdc41c3fc18fd224a88a32ee14c9c1b501a86af, author = Florian Roth, description = Detects Armitage component, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Silence_malware_2 date = 2017-11-01, hash1 = 75b8f534b2f56f183465ba2b63cfc80b7d7d1d155697af141447ec7144c2ba27, author = Florian Roth, description = Detects malware sample mentioned in the Silence report on Securelist, reference = https://securelist.com/the-silence/83009/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_PSImage date = 2017-12-16, author = Florian Roth, description = Detects a command to execute PowerShell from String, reference = https://github.com/peewpw/Invoke-PSImage, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: malware_apt15_royaldll sha256 = bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d, author = David Cannings, description = DLL implant, originally rights.dll and runs as a service
Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.536292107.0000000002E75000.00000004.00000040.sdmp, type: MEMORYMatched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Empire_Invoke_Shellcode date = 2015-08-06, author = Florian Roth, description = Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, reference = https://github.com/PowerShellEmpire/Empire, license = https://creativecommons.org/licenses/by-nc/4.0/, score = fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438
Source: 0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, hash = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_jsp_cmdjsp date = 2014/01/28, author = Florian Roth, description = Web Shell - file cmdjsp.jsp, score = b815611cc39f17f05a73444d699341d4
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_sig_404super date = 2014/03/28, author = Florian Roth, description = Web shells - generated from file 404super.php, score = 7ed63176226f83d36dce47ce82507b28
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_webshells_new_Asp date = 2014/03/28, author = Florian Roth, description = Web shells - generated from file Asp.asp, score = 32c87744ea404d0ea0debd55915010b7
Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, type: MEMORYMatched rule: shankar_php_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file shankar.php.php.txt, hash = 6eb9db6a3974e511b7951b8f7e7136bb
Source: 00000013.00000003.470556930.0000000006B92000.00000004.00000001.sdmp, type: MEMORYMatched rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, hash = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat date = 2014/01/28, hash4 = 3f71175985848ee46cc13282fbed2269, hash3 = 4108f28a9792b50d95f95b9e5314fa1e, hash2 = 1d912c55b96e2efe8ca873d6040e3b30, hash1 = 513b7be8bd0595c377283a7c87b44b2e, author = Florian Roth, description = Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, score = ae025c886fbe7f9ed159f49593674832
Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit date = 2014/01/28, author = Florian Roth, description = Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, score = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_webshells_new_PHP1 date = 2014/03/28, author = Florian Roth, description = Web shells - generated from file PHP1.php, score = 14c7281fdaf2ae004ca5fec8753ce3cb
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: h4ntu_shell__powered_by_tsoi_ description = Semi-Auto-generated - file h4ntu shell [powered by tsoi
Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit author = Florian Roth, description = PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, hash = b2b797707e09c12ff5e632af84b394ad41a46fa4
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf date = 2017-02-09, hash1 = 320a01ec4e023fb5fbbaef963a2b57229e4f918847e5a49c7a3f631cb556e96c, author = Florian Roth, description = Metasploit Payloads - file msf.sh, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_2 date = 2017-02-09, hash1 = e52f98466b92ee9629d564453af6f27bd3645e00a9e2da518f5a64a33ccf8eb5, author = Florian Roth, description = Metasploit Payloads - file msf.asp, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_exe date = 2017-02-09, hash1 = 321537007ea5052a43ffa46a6976075cee6a4902af0c98b9fd711b9f572c20fd, author = Florian Roth, description = Metasploit Payloads - file msf-exe.vba, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_3 date = 2017-02-09, hash1 = 335cfb85e11e7fb20cddc87e743b9e777dc4ab4e18a39c2a2da1aa61efdbd054, author = Florian Roth, description = Metasploit Payloads - file msf.psh, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_4 date = 2017-02-09, hash1 = 26b3e572ba1574164b76c6d5213ab02e4170168ae2bcd2f477f246d37dbe84ef, author = Florian Roth, description = Metasploit Payloads - file msf.aspx, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_exe_2 date = 2017-02-09, hash1 = 3a2f7a654c1100e64d8d3b4cd39165fba3b101bbcce6dd0f70dae863da338401, author = Florian Roth, description = Metasploit Payloads - file msf-exe.aspx, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_6 date = 2017-02-09, hash1 = 8d6f55c6715c4a2023087c3d0d7abfa21e31a629393e4dc179d31bb25b166b3f, author = Florian Roth, description = Metasploit Payloads - file msf.vbs, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_7 date = 2017-02-09, hash1 = 425beff61a01e2f60773be3fcb74bdfc7c66099fe40b9209745029b3c19b5f2f, author = Florian Roth, description = Metasploit Payloads - file msf.vba, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_8 date = 2017-02-09, hash1 = 519717e01f0cb3f460ef88cd70c3de8c7f00fb7c564260bd2908e97d11fde87f, author = Florian Roth, description = Metasploit Payloads - file msf.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_cmd date = 2017-02-09, hash1 = 9f41932afc9b6b4938ee7a2559067f4df34a5c8eae73558a3959dd677cb5867f, author = Florian Roth, description = Metasploit Payloads - file msf-cmd.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_11 date = 2017-02-09, hash1 = d1daf7bc41580322333a893133d103f7d67f5cd8a3e0f919471061d41cf710b6, author = Florian Roth, description = Metasploit Payloads - file msf.hta, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_ref date = 2017-02-09, hash1 = 4ec95724b4c2b6cb57d2c63332a1dd6d4a0101707f42e3d693c9aab19f6c9f87, author = Florian Roth, description = Metasploit Payloads - file msf-ref.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: CVE_2017_8759_SOAP_Excel date = 2017-09-15, author = Florian Roth, description = Detects malicious files related to CVE-2017-8759, reference = https://twitter.com/buffaloverflow/status/908455053345869825, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_ISESteroids_Obfuscation date = 2017-06-23, author = Florian Roth, description = Detects PowerShell ISESteroids obfuscation, reference = https://twitter.com/danielhbohannon/status/877953970437844993, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Reflective_DLL_Loader_Aug17_1 date = 2017-08-20, hash1 = f2f85855914345eec629e6fc5333cf325a620531d1441313292924a88564e320, author = Florian Roth, description = Detects Reflective DLL Loader, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Reflective_DLL_Loader_Aug17_2 date = 2017-08-20, hash2 = b90831aaf8859e604283e5292158f08f100d4a2d4e1875ea1911750a6cb85fe0, author = Florian Roth, description = Detects Reflective DLL Loader - suspicious - Possible FP could be program crack, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score = c2a7a2d0b05ad42386a2bedb780205b7c0af76fe9ee3d47bbe217562f627fcae
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Reflective_DLL_Loader_Aug17_3 date = 2017-08-20, hash1 = d10e4b3f1d00f4da391ac03872204dc6551d867684e0af2a4ef52055e771f474, author = Florian Roth, description = Detects Reflective DLL Loader, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBScript_Favicon_File date = 2017-10-18, hash1 = 39c952c7e14b6be5a9cb1be3f05eafa22e1115806e927f4e2dc85d609bc0eb36, author = Florian Roth, description = VBScript cloaked as Favicon file used in Leviathan incident, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Backdoor_Redosdru_Jun17 date = 2017-06-04, hash1 = 4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309, author = Florian Roth, description = Detects malware Redosdru - file systemHome.exe, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Backdoor_Nitol_Jun17 date = 2017-06-04, hash1 = cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946, author = Florian Roth, description = Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, reference = https://goo.gl/OOB3mH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: HTA_with_WScript_Shell date = 2017-06-21, author = Florian Roth, description = Detects WScript Shell in HTA, reference = https://twitter.com/msftmmpc/status/877396932758560768, license = https://creativecommons.org/licenses/by-nc/4.0/, score = ca7b653cf41e980c44311b2cd701ed666f8c1dbc
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: HTA_Embedded date = 2017-06-21, author = Florian Roth, description = Detects an embedded HTA file, reference = https://twitter.com/msftmmpc/status/877396932758560768, license = https://creativecommons.org/licenses/by-nc/4.0/, score = ca7b653cf41e980c44311b2cd701ed666f8c1dbc
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: StoneDrill date = 2017-03-07, hash3 = 69530d78c86031ce32583c6800f5ffc629acacb18aac4c8bb5b0e915fc4cc4db, hash2 = 62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260, author = Florian Roth, description = Detects malware from StoneDrill threat report, reference = https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 2bab3716a1f19879ca2e6d98c518debb107e0ed8e1534241f7769193807aac83
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: StoneDrill_VBS_1 date = 2017-03-07, hash1 = 0f4d608a87e36cb0dbf1b2d176ecfcde837070a2b2a049d532d3d4226e0c9587, author = Florian Roth, description = Detects malware from StoneDrill threat report, reference = https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EternalRocks_taskhost date = 2017-05-18, hash1 = cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30, author = Florian Roth, description = Detects EternalRocks Malware - file taskhost.exe, reference = https://twitter.com/stamparm/status/864865144748298242, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: BeyondExec_RemoteAccess_Tool date = 2017-03-17, hash1 = 3d3e3f0708479d951ab72fa04ac63acc7e5a75a5723eb690b34301580747032c, author = Florian Roth, description = Detects BeyondExec Remote Access Tool - file rexesvr.exe, reference = https://goo.gl/BvYurS, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Disclosed_0day_POCs_injector date = 2017-07-07, hash1 = ba0e2119b2a6bad612e86662b643a404426a07444d476472a71452b7e9f94041, author = Florian Roth, description = Detects POC code from disclosed 0day hacktool set, reference = Disclosed 0day Repos, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_PupyRAT_PY date = 2017-02-17, hash1 = 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, author = Florian Roth, description = Detects Pupy RAT, reference = https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: OilRig_Strings_Oct17 date = 2017-10-18, author = Florian Roth, description = Detects strings from OilRig malware and malicious scripts, reference = https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Suspicious_Script_Running_from_HTTP author = Florian Roth, description = Detects a suspicious , reference = https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 2017-08-20
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBS_dropper_script_Dec17_1 date = 2018-01-01, author = Florian Roth, description = Detects a supicious VBS script that drops an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Industroyer_Malware_1 date = 2017-06-13, hash2 = 018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81, hash1 = ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910, author = Florian Roth, description = Detects Industroyer related malware, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Industroyer_Portscan_3_Output date = 2017-06-13, author = Florian Roth, description = Detects Industroyer related custom port scaner output file, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Industroyer_Malware_4 date = 2017-06-13, hash1 = 21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561, author = Florian Roth, description = Detects Industroyer related malware, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Industroyer_Malware_5 date = 2017-06-13, hash1 = 7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad, author = Florian Roth, description = Detects Industroyer related malware, reference = https://goo.gl/x81cSy, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: redSails_PY date = 2017-10-02, hash2 = 5ec20cb99030f48ba512cbc7998b943bebe49396b20cf578c26debbf14176e5e, hash1 = 6ebedff41992b9536fe9b1b704a29c8c1d1550b00e14055e3c6376f75e462661, author = Florian Roth, description = Detects Red Sails Hacktool - Python, reference = https://github.com/BeetleChunks/redsails, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Rehashed_RAT_2 date = 2017-09-08, hash1 = 49efab1dedc6fffe5a8f980688a5ebefce1be3d0d180d5dd035f02ce396c9966, author = Florian Roth, description = Detects malware from Rehashed RAT incident, reference = https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_vqgk date = 2016-08-29, author = Florian Roth, description = VT Research QA uploaded malware - file vqgk.dll, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Microcin_Sample_5 date = 2017-09-26, hash1 = b9c51397e79d5a5fd37647bc4e4ee63018ac3ab9d050b02190403eb717b1366e, author = Florian Roth, description = Malware sample mentioned in Microcin technical report by Kaspersky, reference = https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = https://creativecommons.org/licenses/by-nc/4.0/, score = file
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: JS_Suspicious_Obfuscation_Dropbox date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://twitter.com/ItsReallyNick/status/887705105239343104, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: JS_Suspicious_MSHTA_Bypass date = 2017-07-19, author = Florian Roth, description = Detects MSHTA Bypass, reference = https://twitter.com/ItsReallyNick/status/887705105239343104, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: JavaScript_Run_Suspicious author = Florian Roth, description = Detects a suspicious Javascript Run command, reference = https://twitter.com/craiu/status/900314063560998912, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 2017-08-23
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: FVEY_ShadowBroker_Auct_Dez16_Strings date = 2016-12-17, author = Florian Roth, description = String from the ShodowBroker Files Screenshots - Dec 2016, score = https://bit.no.com:43110/theshadowbrokers.bit/post/message6/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Ysoserial_Payload_Spring1 date = 2017-02-04, hash5 = 95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1, hash4 = 5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c, hash3 = 8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8, hash2 = 9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a, hash1 = bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703, author = Florian Roth, description = Ysoserial Payloads - file Spring1.bin, hash7 = adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7, hash6 = 1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187, reference = https://github.com/frohoff/ysoserial, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Ysoserial_Payload date = 2017-02-04, hash5 = 747ba6c6d88470e4d7c36107dfdff235f0ed492046c7ec8a8720d169f6d271f4, hash4 = 5c44482350f1c6d68749c8dec167660ca6427999c37bfebaa54f677345cdf63c, hash3 = 1da04d838141c64711d87695a4cdb4eedfd4a206cc80922a41cfc82df8e24187, hash2 = adf895fa95526c9ce48ec33297156dd69c3dbcdd2432000e61b2dd34ffc167c7, author = Florian Roth, description = Ysoserial Payloads, hash10 = 0143fee12fea5118be6dcbb862d8ba639790b7505eac00a9f1028481f874baa8, hash11 = 8cfa85c16d37fb2c38f277f39cafb6f0c0bd7ee62b14d53ad1dd9cb3f4b25dd8, hash12 = bf9b5f35bc1556d277853b71da24faf23cf9964d77245018a0fdf3359f3b1703, hash9 = 1fea8b54bb92249203d68d5564a01599b42b46fc3a828fe0423616ee2a2f2d99, hash8 = 95f966f2e8c5d0bcdfb34e603e3c0b911fa31fc960308e41fcd4459e4e07b4d1, hash7 = 5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56, hash6 = f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929, reference = https://github.com/frohoff/ysoserial, license = https://creativecommons.org/licenses/by-nc/4.0/, hash13 = f756c88763d48cb8d99e26b4773eb03814d0bd9bd467cc743ebb1479b2c4073e, super_rule = 9c0be107d93096066e82a5404eb6829b1daa6aaa1a7b43bcda3ddac567ce715a
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Ysoserial_Payload_3 date = 2017-02-04, hash2 = 5466d47363e11cd1852807b57d26a828728b9d5a0389214181b966bd0d8d7e56, author = Florian Roth, description = Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin, reference = https://github.com/frohoff/ysoserial, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = f0d2f1095da0164c03a0e801bd50f2f06793fb77938e53b14b57fd690d036929
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: CACTUSTORCH date = 2017-07-31, hash3 = a52d802e34ac9d7d3539019d284b04ded3b8e197d5e3b38ed61f523c3d68baa7, hash2 = 0305aa32d5f8484ca115bb4888880729af7f33ac99594ec1aa3c65644e544aea, hash1 = 314e6d7d863878b6dca46af165e7f08fedd42c054d7dc3828dc80b86a3a9b98c, author = Florian Roth, description = Detects CactusTorch Hacktool, reference = https://github.com/mdsecactivebreach/CACTUSTORCH, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: OpCloudHopper_Malware_2 date = 2017-04-03, hash1 = c1dbf481b2c3ba596b3542c7dc4e368f322d5c9950a78197a4ddbbaacbd07064, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: OpCloudHopper_Malware_3 date = 2017-04-03, hash1 = c21eaadf9ffc62ca4673e27e06c16447f103c0cf7acd8db6ac5c8bd17805e39d, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: OpCloudHopper_Malware_5 date = 2017-04-03, hash1 = beb1bc03bb0fba7b0624f8b2330226f8a7da6344afd68c5bc526f9d43838ef01, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: OpCloudHopper_WmiDLL_inMemory date = 2017-04-07, author = Florian Roth, description = Malware related to Operation Cloud Hopper - Page 25, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBS_WMIExec_Tool_Apr17_1 date = 2017-04-07, hash1 = 21bc328ed8ae81151e7537c27c0d6df6d47ba8909aebd61333e32155d01f3b11, author = Florian Roth, description = Tools related to Operation Cloud Hopper, reference = https://github.com/maaaaz/impacket-examples-windows, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, modified = 2020-07-27
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Mimipenguin_SH date = 2017-04-01, author = Florian Roth, description = Detects Mimipenguin Password Extractor - Linux, reference = https://github.com/huntergregal/mimipenguin, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: POSHSPY_Malware date = 2017-07-15, author = Florian Roth, description = Detects, reference = https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: FIN7_Backdoor_Aug17 date = 2017-08-04, author = Florian Roth, description = Detects Word Dropper from Proofpoint FIN7 Report, reference = https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_SMBExec date = 2017-06-14, hash1 = 674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd, author = Florian Roth, description = Detects Invoke-WmiExec or Invoke-SmbExec, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_WMIExec_Gen_1 date = 2017-06-14, hash2 = 7565d376665e3cd07d859a5cf37c2332a14c08eb808cc5d187a7f0533dc69e07, hash1 = 140c23514dbf8043b4f293c501c2f9046efcc1c08630621f651cfedb6eed8b97, author = Florian Roth, description = Detects Invoke-WmiExec or Invoke-SmbExec, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_SMBExec_Invoke_WMIExec_1 date = 2017-06-14, hash2 = b41bd54bbf119d153e0878696cd5a944cbd4316c781dd8e390507b2ec2d949e7, author = Florian Roth, description = Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_WMIExec_Gen date = 2017-06-14, hash3 = b41bd54bbf119d153e0878696cd5a944cbd4316c781dd8e390507b2ec2d949e7, hash2 = 674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd, author = Florian Roth, description = Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1, reference = https://github.com/Kevin-Robertson/Invoke-TheHash, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 56c6012c36aa863663fe5536d8b7fe4c460565d456ce2277a883f10d78893c01
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: WMImplant date = 2017-03-24, hash1 = 860d7c237c2395b4f51b8c9bd0ee6cab06af38fff60ce3563d160d50c11d2f78, author = Florian Roth, description = Auto-generated rule - file WMImplant.ps1, reference = https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: FVEY_ShadowBrokers_Jan17_Screen_Strings date = 2017-01-08, author = Florian Roth, description = Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits, reference = https://bit.no.com:43110/theshadowbrokers.bit/post/message7/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_OSiRis date = 2017-03-27, hash1 = 19e4a8b07f85c3d4c396d0c4e839495c9fba9405c06a631d57af588032d2416e, author = Florian Roth, description = Osiris Device Guard Bypass - file Invoke-OSiRis.ps1, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_KHRAT_script date = 2017-08-31, hash1 = 8c88b4177b59f4cac820b0019bcc7f6d3d50ce4badb689759ab0966780ae32e3, author = Florian Roth, description = Rule derived from KHRAT script but can match on other malicious scripts as well, reference = https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: WiltedTulip_powershell date = 2017-07-23, hash1 = e5ee1f45cbfdb54b02180e158c3c1f080d89bce6a7d1fe99dd0ff09d47a36787, author = Florian Roth, description = Detects powershell script used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: WiltedTulip_Windows_UM_Task date = 2017-07-23, hash1 = 4c2fc21a4aab7686877ddd35d74a917f6156e48117920d45a3d2f21fb74fedd3, author = Florian Roth, description = Detects a Windows scheduled task as used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: WiltedTulip_WindowsTask date = 2017-07-23, hash5 = 984c7e1f76c21daf214b3f7e131ceb60c14abf1b0f4066eae563e9c184372a34, hash4 = 5046e7c28f5f2781ed7a63b0871f4a2b3065b70d62de7254491339e8fe2fa14a, hash3 = b6f515b3f713b70b808fc6578232901ffdeadeb419c9c4219fbfba417bba9f01, hash2 = 340cbbffbb7685133fc318fa20e4620ddf15e56c0e65d4cf1b2d606790d4425d, hash1 = c3cbe88b82cd0ea46868fb4f2e8ed226f3419fc6d4d6b5f7561e70f4cd33822c, author = Florian Roth, description = Detects hack tool used in Operation Wilted Tulip - Windows Tasks, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Impacket_Tools_Generic_1 date = 2017-04-07, hash5 = e2205539f29972d4e2a83eabf92af18dd406c9be97f70661c336ddf5eb496742, hash4 = ab909f8082c2d04f73d8be8f4c2640a5582294306dffdcc85e83a39d20c49ed6, hash3 = 2d8d500bcb3ffd22ddd8bd68b5b2ce935c958304f03729442a20a28b2c0328c1, hash2 = d256d1e05695d62a86d9e76830fcbb856ba7bd578165a561edd43b9f7fdb18a3, hash20 = 202a1d149be35d96e491b0b65516f631f3486215f78526160cf262d8ae179094, description = Compiled Impacket Tools, hash9 = 21d85b36197db47b94b0f4995d07b040a0455ebbe6d413bc33d926ee4e0315d9, hash8 = 0f7f0d8afb230c31fe6cf349c4012b430fc3d6722289938f7e33ea15b2996e1b, hash7 = dc85a3944fcb8cc0991be100859c4e1bf84062f7428c4dc27c71e08d88383c98, hash6 = 27bb10569a872367ba1cfca3cf1c9b428422c82af7ab4c2728f501406461c364, reference = https://github.com/maaaaz/impacket-examples-windows, super_rule = 4f7fad0676d3c3d2d89e8d4e74b6ec40af731b1ddf5499a0b81fc3b1cd797ee3, author = Florian Roth, hash10 = 4c2921702d18e0874b57638433474e54719ee6dfa39d323839d216952c5c834a, hash11 = 47afa5fd954190df825924c55112e65fd8ed0f7e1d6fd403ede5209623534d7d, hash12 = 7d715217e23a471d42d95c624179fe7de085af5670171d212b7b798ed9bf07c2, hash17 = e300339058a885475f5952fb4e9faaa09bb6eac26757443017b281c46b03108b, hash18 = 19544863758341fe7276c59d85f4aa17094045621ca9c98f8a9e7307c290bad4, license = https://creativecommons.org/licenses/by-nc/4.0/, hash19 = 2527fff1a3c780f6a757f13a8912278a417aea84295af1abfa4666572bbbf086, hash13 = 9706eb99e48e445ac4240b5acb2efd49468a800913e70e40b25c2bf80d6be35f, hash14 = d2856e98011541883e5b335cb46b713b1a6b2c414966a9de122ee7fb226aa7f7, hash15 = 8ab2b60aadf97e921e3a9df5cf1c135fbc851cb66d09b1043eaaa1dc01b9a699, hash16 = efff15e1815fb3c156678417d6037ddf4b711a3122c9b5bc2ca8dc97165d3769
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_Auditcleaner date = 2017-04-08, hash1 = 8c172a60fa9e50f0df493bf5baeb7cc311baef327431526c47114335e0097626, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_elgingamble date = 2017-04-08, hash1 = 0573e12632e6c1925358f4bfecf8c263dd13edf52c633c9109fe3aae059b49dd, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file elgingamble, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_cmsd date = 2017-04-08, hash1 = 634c50614e1f5f132f49ae204c4a28f62a32a39a3446084db5b0b49b564034b8, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file cmsd, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_ebbshave date = 2017-04-08, hash1 = eb5e0053299e087c87c2d5c6f90531cc1946019c85a43a2998c7b66a6f19ca4b, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_eggbasket date = 2017-04-08, hash1 = b078a02963610475217682e6e1d6ae0b30935273ed98743e47cc2553fbfd068f, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file eggbasket, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_sambal date = 2017-04-08, hash1 = 2abf4bbe4debd619b99cb944298f43312db0947217437e6b71b9ea6e9a1a4fec, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file sambal, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_envisioncollision date = 2017-04-08, hash1 = 75d5ec573afaf8064f5d516ae61fd105012cbeaaaa09c8c193c7b4f9c0646ea1, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file envisioncollision, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_cmsex date = 2017-04-08, hash1 = 2d8ae842e7b16172599f061b5b1f223386684a7482e87feeb47a38a3f011b810, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file cmsex, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_DUL date = 2017-04-08, hash1 = 24d1d50960d4ebf348b48b4db4a15e50f328ab2c0e24db805b106d527fc5fe8e, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file DUL, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_slugger2 date = 2017-04-08, hash1 = a6a9ab66d73e4b443a80a69ef55a64da7f0af08dfaa7e17eb19c327301a70bdf, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file slugger2, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_jackpop date = 2017-04-08, hash1 = 0b208af860bb2c7ef6b1ae1fcef604c2c3d15fc558ad8ea241160bf4cbac1519, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file jackpop, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_epoxyresin_v1_0_0 date = 2017-04-08, hash1 = eea8a6a674d5063d7d6fc9fe07060f35b16172de6d273748d70576b01bf01c73, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_estesfox date = 2017-04-08, hash1 = 33530cae130ee9d9deeee60df9292c00242c0fe6f7b8eedef8ed09881b7e1d5a, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file estesfox, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_elatedmonkey_1_0_1_1 date = 2017-04-08, hash1 = bf7a9dce326604f0681ca9f7f1c24524543b5be8b6fcc1ba427b18e2a4ff9090, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup__ftshell_ftshell_v3_10_3_0 date = 2017-04-08, hash2 = 0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup__scanner_scanner_v2_1_2 date = 2017-04-08, hash2 = 9807aaa7208ed6c5da91c7c30ca13d58d16336ebf9753a5cea513bcb59de2cff, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = dcbcd8a98ec93a4e877507058aa26f0c865b35b46b8e6de809ed2c4b3db7e222
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup__ghost_sparc_ghost_x86_3 date = 2017-04-08, hash2 = 82c899d1f05b50a85646a782cddb774d194ef85b74e1be642a8be2c7119f4e33, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = d5ff0208d9532fc0c6716bd57297397c8151a01bf4f21311f24e7a72551f9bf1
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup__jparsescan_parsescan_5 date = 2017-04-08, hash2 = 942c12067b0afe9ebce50aa9dfdbf64e6ed0702d9a3a00d25b4fca62a38369ef, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 8c248eec0af04300f3ba0188fe757850d283de84cf42109638c1c1280c822984
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup__funnelout_v4_1_0_1 date = 2017-04-08, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 457ed14e806fdbda91c4237c8dc058c55e5678f1eecdd78572eff6ca0ed86d33
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup__magicjack_v1_1_0_0_client date = 2017-04-08, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 63292a2353275a3bae012717bb500d5169cd024064a1ce8355ecb4e9bfcdfdd1
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup__ftshell date = 2017-04-08, hash4 = 0be739024b41144c3b63e40e46bab22ac098ccab44ab2e268efc3b63aea02951, author = Florian Roth, description = Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 9bebeb57f1c9254cb49976cc194da4be85da4eb94475cb8d813821fb0b24f893
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_noclient_3_3_2 date = 2017-04-09, hash1 = 3cf0eb010c431372af5f32e2ee8c757831215f8836cabc7d805572bb5574fc72, author = Florian Roth, description = Equation Group hack tool set, reference = https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_Toolset_Apr17_Eternalromance date = 2017-04-15, hash2 = b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = f1ae9fdbb660aae3421fd3e5b626c1e537d8e9ee2f9cd6d56cb70b6878eaca5d
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_Toolset_Apr17_Gen2 date = 2017-04-15, hash4 = 8f7e10a8eedea37ee3222c447410fd5b949bd352d72ef22ef0b2821d9df2f5ba, hash3 = f2e90e04ddd05fa5f9b2fec024cd07365aebc098593d636038ebc2720700662b, hash2 = 561c0d4fc6e0ff0a78613d238c96aed4226fbb7bb9ceea1d19bc770207a6be1e, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 7fe425cd040608132d4f4ab2671e04b340a102a20c97ffdcf1b75be43a9369b5
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_Toolset_Apr17_ntevt date = 2017-04-15, hash1 = 4254ee5e688fc09bdc72bcc9c51b1524a2bb25a9fb841feaf03bc7ec1a9975bf, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld date = 2017-04-15, hash5 = 8419866c9058d738ebc1a18567fef52a3f12c47270f2e003b3e1242d86d62a46, hash4 = 551174b9791fc5c1c6e379dac6110d0aba7277b450c2563e34581565609bc88e, hash3 = c10f4b9abee0fde50fe7c21b9948a2532744a53bb4c578630a81d2911f6105a3, hash2 = 320144a7842500a5b69ec16f81a9d1d4c8172bb92301afd07fb79bc0eca81557, hash1 = 9ab667b7b5b9adf4ff1d6db6f804824a22c7cc003eb4208d5b2f12809f5e69d0, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0 date = 2017-04-15, hash2 = 5db457e7c7dba80383b1df0c86e94dc6859d45e1d188c576f2ba5edee139d9ae, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 052e778c26120c683ee2d9f93677d9217e9d6c61ffc0ab19202314ab865e3927
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4 date = 2017-04-15, hash5 = 5c0896dbafc5d8cc19b1bc7924420b20ed5999ac5bee2cb5a91aada0ea01e337, hash4 = c5e119ff7b47333f415aea1d2a43cb6cb322f8518562cfb9b90399cac95ac674, hash3 = 9d16d97a6c964e0658b6cd494b0bbf70674bf37578e2ff32c4779a7936e40556, hash2 = c4152f65e45ff327dade50f1ac3d3b876572a66c1ce03014f2877cea715d9afd, author = Florian Roth, description = Detects EquationGroup Tool - April Leak, reference = https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 3e181ca31f1f75a6244b8e72afaa630171f182fbe907df4f8b656cc4a31602f6
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: EquationGroup_scanner_output date = 2017-04-17, author = Florian Roth, description = Detects output generated by EQGRP scanner.exe, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: dragos_crashoverride_moduleStrings author = Dragos Inc, description = IEC-104 Interaction Module Program Strings, reference = https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Obfuscated_VBS_April17 date = 2017-04-21, author = Florian Roth, description = Detects cloaked Mimikatz in VBS obfuscation, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORYMatched rule: Obfuscated_JS_April17 date = 2017-04-21, author = Florian Roth, description = Detects cloaked Mimikatz in JS obfuscation, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.316499473.0000000006860000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000002.523349455.00000000022DB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000002.523349455.00000000022DB000.00000004.00000001.sdmp, type: MEMORYMatched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 0000000A.00000003.322872020.0000000006854000.00000004.00000001.sdmp, type: MEMORYMatched rule: shankar_php_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file shankar.php.php.txt, hash = 6eb9db6a3974e511b7951b8f7e7136bb
Source: 0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: SQLMap date = 01.07.2014, author = Florian Roth, description = This signature detects the SQLMap SQL injection tool, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: PortRacer author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file PortRacer.exe, hash = 2834a872a0a8da5b1be5db65dfdef388
Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Fierce2 date = 01.07.2014, author = Florian Roth, description = This signature detects the Fierce2 domain scanner, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx description = Web Shell - from files Shell [ci
Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat date = 2014/01/28, hash4 = 3f71175985848ee46cc13282fbed2269, hash3 = 4108f28a9792b50d95f95b9e5314fa1e, hash2 = 1d912c55b96e2efe8ca873d6040e3b30, hash1 = 513b7be8bd0595c377283a7c87b44b2e, author = Florian Roth, description = Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, score = ae025c886fbe7f9ed159f49593674832
Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 00000013.00000003.464807403.0000000006D9C000.00000004.00000001.sdmp, type: MEMORYMatched rule: shankar_php_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file shankar.php.php.txt, hash = 6eb9db6a3974e511b7951b8f7e7136bb
Source: 0000000A.00000003.312897828.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Empire_Invoke_Shellcode date = 2015-08-06, author = Florian Roth, description = Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, reference = https://github.com/PowerShellEmpire/Empire, license = https://creativecommons.org/licenses/by-nc/4.0/, score = fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438
Source: 0000000A.00000003.312897828.0000000006654000.00000004.00000001.sdmp, type: MEMORYMatched rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, hash = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 00000013.00000002.542830535.0000000002FAE000.00000004.00000040.sdmp, type: MEMORYMatched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Volgmer_Malware date = 2017-11-15, hash5 = 6dae368eecbcc10266bba32776c40d9ffa5b50d7f6199a9b6c31d40dfe7877d1, hash4 = e40a46e95ef792cf20d5c14a9ad0b3a95c6252f96654f392b4bc6180565b7b11, hash3 = eff3e37d0406c818e3430068d90e7ed2f594faa6bb146ab0a1c00a2f4a4809a5, hash2 = 8fcd303e22b84d7d61768d4efa5308577a09cc45697f7f54be4e528bbb39435b, hash1 = ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd, author = Florian Roth, description = Detects Volgmer malware as reported in US CERT TA17-318B, hash8 = 1d0999ba3217cbdb0cc85403ef75587f747556a97dee7c2616e28866db932a0d, hash7 = 53e9bca505652ef23477e105e6985102a45d9a14e5316d140752df6f3ef43d2d, hash6 = fee0081df5ca6a21953f3a633f2f64b7c0701977623d3a4ec36fff282ffe73b9, reference = https://www.us-cert.gov/ncas/alerts/TA17-318B, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: ProcessInjector_Gen date = 2018-04-23, author = Florian Roth, description = Detects a process injection utility that can be used ofr good and bad purposes, reference = https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 456c1c25313ce2e2eedf24fdcd4d37048bcfff193f6848053cbb3b5e82cd527d
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lazagne_PW_Dumper date = 2018-03-22, author = Markus Neis / Florian Roth, description = Detects Lazagne PW Dumper, reference = https://github.com/AlessandroZ/LaZagne/releases/, score =
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_shellpop_Bash date = 2018-05-18, hash1 = 36fad575a8bc459d0c2e3ad626e97d5cf4f5f8bedc56b3cc27dd2f7d88ed889b, author = Tobias Michalski, description = Detects susupicious bash command, reference = https://github.com/0x00-0x00/ShellPop
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBS_dropper_script_Dec17_1 date = 2018-01-01, author = Florian Roth, description = Detects a supicious VBS script that drops an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lazarus_Dec_17_5 date = 2017-12-20, hash1 = db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471, author = Florian Roth, description = Detects Lazarus malware from incident in Dec 2017, reference = https://goo.gl/8U6fY2, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_Turla_Agent_BTZ_Gen_1 date = 2018-06-16, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = Internal Research, score = c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Turla_Mal_Script_Jan18_1 date = 2018-01-19, hash1 = 180b920e9cea712d124ff41cd1060683a14a79285d960e17f0f49b969f15bfcc, author = Florian Roth, description = Detects Turla malicious script, reference = https://ghostbin.com/paste/jsph7, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBS_Obfuscated_Mal_Feb18_1 date = 2018-02-12, hash3 = e1765a2b10e2ff10235762b9c65e9f5a4b3b47d292933f1a710e241fe0417a74, hash2 = c5c0e28093e133d03c3806da0061a35776eed47d351e817709d2235b95d3a036, hash1 = 06960cb721609fe5a857fe9ca3696a84baba88d06c20920370ddba1b0952a8ab, author = Florian Roth, description = Detects malicious obfuscated VBS observed in February 2018, reference = https://goo.gl/zPsn83, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_ScanCopyPDF_Feb18 date = 2018-02-14, hash1 = 6f8ff26a5daf47effdea5795cdadfff9265c93a0ebca0ce5a4144712f8cab5be, author = Florian Roth, description = Auto-generated rule - file Scan Copy.pdf.com, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Armitage_msfconsole date = 2017-12-24, hash1 = 662ba75c7ed5ac55a898f480ed2555d47d127a2d96424324b02724b3b2c95b6a, author = Florian Roth, description = Detects Armitage component, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Armitage_OSX date = 2017-12-24, hash2 = b7b506f38d0553cd2beb4111c7ef383c821f04cee5169fed2ef5d869c9fbfab3, hash1 = 2680d9900a057d553fcb28d84cdc41c3fc18fd224a88a32ee14c9c1b501a86af, author = Florian Roth, description = Detects Armitage component, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Silence_malware_2 date = 2017-11-01, hash1 = 75b8f534b2f56f183465ba2b63cfc80b7d7d1d155697af141447ec7144c2ba27, author = Florian Roth, description = Detects malware sample mentioned in the Silence report on Securelist, reference = https://securelist.com/the-silence/83009/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Invoke_PSImage date = 2017-12-16, author = Florian Roth, description = Detects a command to execute PowerShell from String, reference = https://github.com/peewpw/Invoke-PSImage, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: malware_apt15_royaldll sha256 = bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d, author = David Cannings, description = DLL implant, originally rights.dll and runs as a service
Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000003.325067585.0000000002E7E000.00000004.00000001.sdmp, type: MEMORYMatched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Fierce2 date = 01.07.2014, author = Florian Roth, description = This signature detects the Fierce2 domain scanner, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx description = Web Shell - from files Shell [ci
Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, hash = 6163b30600f1e80d2bb5afaa753490b6
Source: 00000013.00000003.478269987.0000000002FAD000.00000004.00000001.sdmp, type: MEMORYMatched rule: scanarator author = yarGen Yara Rule Generator by Florian Roth, description = Auto-generated rule on file scanarator.exe, hash = 848bd5a518e0b6c05bd29aceb8536c46
Source: 00000013.00000003.435493556.0000000006B8B000.00000004.00000001.sdmp, type: MEMORYMatched rule: webshell_PHP_b37 date = 2014/01/28, author = Florian Roth, description = Web Shell - file b37.php, score = 0421445303cfd0ec6bc20b3846e30ff0
Source: 00000013.00000003.435493556.0000000006B8B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, hash = c6eeacbe779518ea78b8f7ed5f63fc11
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Volgmer_Malware date = 2017-11-15, hash5 = 6dae368eecbcc10266bba32776c40d9ffa5b50d7f6199a9b6c31d40dfe7877d1, hash4 = e40a46e95ef792cf20d5c14a9ad0b3a95c6252f96654f392b4bc6180565b7b11, hash3 = eff3e37d0406c818e3430068d90e7ed2f594faa6bb146ab0a1c00a2f4a4809a5, hash2 = 8fcd303e22b84d7d61768d4efa5308577a09cc45697f7f54be4e528bbb39435b, hash1 = ff2eb800ff16745fc13c216ff6d5cc2de99466244393f67ab6ea6f8189ae01dd, author = Florian Roth, description = Detects Volgmer malware as reported in US CERT TA17-318B, hash8 = 1d0999ba3217cbdb0cc85403ef75587f747556a97dee7c2616e28866db932a0d, hash7 = 53e9bca505652ef23477e105e6985102a45d9a14e5316d140752df6f3ef43d2d, hash6 = fee0081df5ca6a21953f3a633f2f64b7c0701977623d3a4ec36fff282ffe73b9, reference = https://www.us-cert.gov/ncas/alerts/TA17-318B, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: ProcessInjector_Gen date = 2018-04-23, author = Florian Roth, description = Detects a process injection utility that can be used ofr good and bad purposes, reference = https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 456c1c25313ce2e2eedf24fdcd4d37048bcfff193f6848053cbb3b5e82cd527d
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lazagne_PW_Dumper date = 2018-03-22, author = Markus Neis / Florian Roth, description = Detects Lazagne PW Dumper, reference = https://github.com/AlessandroZ/LaZagne/releases/, score =
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_shellpop_Bash date = 2018-05-18, hash1 = 36fad575a8bc459d0c2e3ad626e97d5cf4f5f8bedc56b3cc27dd2f7d88ed889b, author = Tobias Michalski, description = Detects susupicious bash command, reference = https://github.com/0x00-0x00/ShellPop
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBS_dropper_script_Dec17_1 date = 2018-01-01, author = Florian Roth, description = Detects a supicious VBS script that drops an executable, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lazarus_Dec_17_5 date = 2017-12-20, hash1 = db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471, author = Florian Roth, description = Detects Lazarus malware from incident in Dec 2017, reference = https://goo.gl/8U6fY2, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_Turla_Agent_BTZ_Gen_1 date = 2018-06-16, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = Internal Research, score = c905f2dec79ccab115ad32578384008696ebab02276f49f12465dcd026c1a615
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Suspicious_BAT_Strings date = 2018-01-05, author = Florian Roth, description = Detects a string also used in Netwire RAT auxilliary, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://pastebin.com/8qaiyPxs
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Turla_Mal_Script_Jan18_1 date = 2018-01-19, hash1 = 180b920e9cea712d124ff41cd1060683a14a79285d960e17f0f49b969f15bfcc, author = Florian Roth, description = Detects Turla malicious script, reference = https://ghostbin.com/paste/jsph7, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: VBS_Obfuscated_Mal_Feb18_1 date = 2018-02-12, hash3 = e1765a2b10e2ff10235762b9c65e9f5a4b3b47d292933f1a710e241fe0417a74, hash2 = c5c0e28093e133d03c3806da0061a35776eed47d351e817709d2235b95d3a036, hash1 = 06960cb721609fe5a857fe9ca3696a84baba88d06c20920370ddba1b0952a8ab, author = Florian Roth, description = Detects malicious obfuscated VBS observed in February 2018, reference = https://goo.gl/zPsn83, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_ScanCopyPDF_Feb18 date = 2018-02-14, hash1 = 6f8ff26a5daf47effdea5795cdadfff9265c93a0ebca0ce5a4144712f8cab5be, author = Florian Roth, description = Auto-generated rule - file Scan Copy.pdf.com, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORYMatched rule: Armitage_msfconsole date = 2017-12-24, hash1 = 662ba75c7ed5ac55a898f480ed2555d47d127a2d96424324b02724b3b2c95b6a, author = Florian Roth, description = Detects Armitage component, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: classification engineClassification label: mal100.rans.troj.expl.evad.mine.winEXE@15/1031@0/0
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02C46250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetSystemInfo,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02D56250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetSystemInfo,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02DB6250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetSystemInfo,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02BB6250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetSystemInfo,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02BA6250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetSystemInfo,
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_004044D1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_004020D1 CoCreateInstance,MultiByteToWideChar,
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\00554e26-4141-4a67-98c4-9454bf8d1c70.dllJump to behavior
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\AppData\Local\Temp\nswAFA.tmpJump to behavior
Source: GZe6EcSTpO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: GZe6EcSTpO.exeVirustotal: Detection: 52%
Source: GZe6EcSTpO.exeReversingLabs: Detection: 41%
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile read: C:\Users\user\Desktop\GZe6EcSTpO.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\GZe6EcSTpO.exe 'C:\Users\user\Desktop\GZe6EcSTpO.exe'
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1092'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1136'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1244'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1236'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1256'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1300'
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1092'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1136'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1244'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1236'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1256'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1300'
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Source: GZe6EcSTpO.exeStatic file information: File size 16770272 > 1048576
Source: C:\Users\user\Desktop\vnwareupdate.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9415_none_508df7e2bcbccb90\MSVCR90.dll
Source: GZe6EcSTpO.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: $x1 = "\\BeyondExecV2\\Server\\Release\\Pipes.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\obj\\Debug\\exeruner.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\T+M\\Result\\DocPrint.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x3 = "\\RbDoorX64.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\UACElevator_RID2B2C.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\shellcodegenerator.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x4 = "\\Gubed\\Release\\Gubed.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\pstgdump_RID2A85.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x3 = "\\Release\\FakeRun.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "c:\\ntevt.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\BypassUAC.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\archer_lyl\\Release\\Archer_Input.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\ASGT.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = /\\Debug\\[a-z]{0,8}katz.pdb/ source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "ntfltmgr.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x4 = "\\Debug\\dloader.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\ScreenMonitorService\\Release\\smmsrv.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\obj\\Debug\\AllTheThings_RID2BB8.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x5 = "mfc42l00.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\injector.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\ChromePasswordDump\\Release\\FireMaster.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\svc.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "Desktop\\Htran\\Release\\Htran.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "C:\\Documents and Settings\\Administrator\\Desktop\\GetPAI\\Out\\IE.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\EWSTEW.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\beacon\\Release\\beacon.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\Release\\dloader.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\RoyalCli.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\BisonNewHNStubDll\\Release\\Goopdate.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\InjectDll.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "c:\\Development\\ghps\\nps\\nps\\obj\\x86\\Release\\nps.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Cobra\\Release\\Cobra.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\obj\\Debug\\Sharpire_RID2A4F.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\milk\\Release\\milk.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\NoPowerShell.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "S:\\Lidstone\\renewing\\HA\\disable\\In.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x6 = "\\x86\\Release\\word.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "D:\\gitpoc\\UAC\\src\\x64\\Release\\lpe.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s3 = "\\Release\\Loader.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "\\Release\\CnCerT.CCdoor.Client.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "D:\\Work\\Project\\VS\\HSSL\\HSSL_Unicode _2\\Release\\ServiceClient.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: BlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cPrivileges and Credentials: Phished at the Request of Counsel https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-cStrider: Cyberespionage group turns eye of Sauron on targets http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauStrider: Cyberespionage group turns eye of Sauron on targets http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sau source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp
Source: Binary string: $x1 = "F:\\Projects\\Bot\\Bot\\Release\\Ism.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\obj\\Release\\Step7ProSim.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD9Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source: Binary string: $s0 = "\\Release\\AppInitHook_RID2B57.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\inject.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "bin\\oSaberSvc.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "C:\\WRK\\GHook\\gHook\\x64\\Debug\\gHookx64.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "C:\\Projets\\vbsedit_source\\script2exe\\Release\\mywscript.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "srv\\newclient\\lib\\win32\\obj\\i386\\mstsc.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s0 = "\\Decompress\\obj\\Release\\Decompress.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "ipsearcher_RID2B37\\ipsearcher_RID2B37\\Release\\ipsearcher_RID2B37.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\x64\\x64passldr.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s3 = "\\epathobj_exp\\x64\\Release\\epathobj_exp.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x5 = "Celesty Binder\\Stub\\STATIC\\Stub.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDbBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\reflective_dll.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "src\\build\\Release\\dllConfig\\dllConfig.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\obj\\Release\\Myrtille.Services.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\obj\\x86\\Debug\\secure_scan.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "\\Win32Project1\\Release\\Win32Project1.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\Release\\RTLBot.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x7 = "\\obj\\Release\\Potato.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\ClearLog\\Release\\logC.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "\\ms11080\\ms11080\\Debug\\ms11080.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x4 = "Agent Injector\\PolicyConverter\\Joiner\\obj\\Release\\Joiner.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x3 = "\\Release\\PhantomNet-SSL.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\CWoolger.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\Release\\Bot Fresh.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\BypassUacDll.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\Layer.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\kasper.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x3 = "Agent Injector\\PolicyConverter\\Inner\\obj\\Release\\Inner.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\not copy\\obj\\Debug\\not copy.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\amd64\\elrawdsk.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s16 = ".\\lsasrv.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\FTPCom_vs10\\Release\\Engine.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: BlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pdBlackEnergy attacking mining and railway companies in Ukraine http://documents.trendmicro.com/assets/resources/IOC-KillDisk_and_BlackEnergy.pd source: vnwareupdate.exe, 00000003.00000002.565250671.0000000003FA1000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\PSAttack.pdb" fullword source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\Release\\WindowXarbot.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\objfre_w2k_x86\\i386\\guava.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s3 = "\\custact\\x86\\AICustAct.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "C:\\Users\\Lenovo\\Desktop\\test\\Release\\test.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\WinMain\\Release\\WinMain.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "Excalibur\\bin\\Shell.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x2 = "\\SkeyMan2.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD dBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDoBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD9Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDOBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDcBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDdBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDiBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDOThe Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/4dec74bc41c581b82459;APTnotes 2014 Operation_Poisoned_Hurricane.pdf source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\ReflectivLoader.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\fgexec_RID2983.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x7 = "\\obj\\Release\\botkill.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x6 = "Bot\\Release\\Ism.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\PowerShellRunner.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x5 = "Bot5\\Release\\Ism.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/The Maudi Operation (2012) https://raw.githubusercontent.com/lukaszbb/apt-analysis/master/reports_txt/2012/Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDh source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\instlsp\\Release\\Lancer.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\MiniAsp4\\Release\\MiniAsp.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "\\scout\\Release\\scout.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "\\epathobj_exp\\Release\\epathobj_exp.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = /\\Release\\[a-z]{0,8}katz.pdb/ source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x4 = "BypassUac.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s5 = "%windows%\\mfc42l00.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s1 = "\\obj\\Release\\TempRacer_RID2A94.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\exploit.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s0 = "\\i386\\Hello.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s6 = "\\obj\\Release\\ZPP.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s3 = "uac\\bin\\install_test.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "C:\\Users\\Logintech\\Dropbox\\Projects\\New folder\\Latest\\Benchmark\\Benchmark\\obj\\Release\\Benchmark.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\Release\\dnscat2.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $x1 = "c:\\ntevt.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD5Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDaBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDtBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD-Bankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDABankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDTBankshot Lazarus Malware https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD8@ source: vnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmp
Source: Binary string: $x1 = "\\support\\Release\\ab.pdb" ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s4 = "C:\\v3\\exe\\de_svr_inst.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: Binary string: $s2 = "\\ms11080\\Debug\\ms11080.pdb" fullword ascii source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_00401D61 push ecx; ret
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02CFB2B1 push ecx; ret
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02C39F8F pushfd ; ret
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02E0B2B1 push ecx; ret
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02E6B2B1 push ecx; ret
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C30678 push es; ret
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C6B2B1 push ecx; ret
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02C5B2B1 push ecx; ret
Source: initial sampleStatic PE information: section name: .text entropy: 6.92175980221
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32api.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\winxpgui.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\python27.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\_cffi_backend.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\pyexpat.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.adsi.adsi.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\yara.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\mfc90.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._constant_time.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32clipboard.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\select.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32pdh.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\msvcp90.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\tk85.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\_ssl.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32pipe.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.directsound.directsound.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.mapi.mapi.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\python27.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.authorization.authorization.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._openssl.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\msvcm90.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32event.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\pywintypes27.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32trace.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\_socket.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32ui.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32wnet.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\_ctypes.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.taskscheduler.taskscheduler.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\tcl85.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.mapi.exchange.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.bits.bits.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\_tkinter.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\MSVCR90.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\pythoncom27.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.ifilter.ifilter.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.internet.internet.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\MSVCR90.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.axcontrol.axcontrol.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.axscript.axscript.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32gui.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.mapi.exchdapi.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\msvcr100.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\unicodedata.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\_hashlib.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.propsys.propsys.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.axdebug.axdebug.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\_multiprocessing.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\vnwareupdate.exe
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32file.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._padding.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\_win32sysloader.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32com.shell.shell.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile created: C:\Users\user\Desktop\lib\win32process.pydJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Deletes itself after installationShow sources
Source: C:\Users\user\Desktop\vnwareupdate.exeFile deleted: c:\users\user\desktop\gze6ecstpo.exeJump to behavior
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3Show sources
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpBinary or memory string: $S5 = "WIRESHARK.EXE" FULLWORD ASCII
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpBinary or memory string: $A2 = "DUMPCAP.EXE" FULLWORD ASCII
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpBinary or memory string: $X12 = "ANTISNIFF -A WIRESHARK.EXE" FULLWORD ASCII
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpBinary or memory string: $S3 = "WINDUMP.EXE" FULLWORD ASCII
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpBinary or memory string: $S2 = "TCPDUMP.EXE" FULLWORD ASCII
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpBinary or memory string: $X1 = ";PROCMON64.EXE;NETMON.EXE;TCPVIEW.EXE;MINISNIFFER.EXE;SMSNIFF.EXE" ASCII
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\winxpgui.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32wnet.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.taskscheduler.taskscheduler.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\tcl85.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\pyexpat.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.mapi.exchange.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.bits.bits.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.adsi.adsi.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\_tkinter.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\yara.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\mfc90.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.ifilter.ifilter.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.internet.internet.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32clipboard.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\bz2.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\select.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.axcontrol.axcontrol.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.axscript.axscript.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32pdh.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32gui.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\msvcp90.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.mapi.exchdapi.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\tk85.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32pipe.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\msvcr100.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.mapi.mapi.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.directsound.directsound.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.propsys.propsys.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32event.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\msvcm90.dllJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.axdebug.axdebug.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32com.authorization.authorization.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\_win32sysloader.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32process.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32trace.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeDropped PE file which has not been started: C:\Users\user\Desktop\lib\win32ui.pydJump to dropped file
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_004062A3 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_004026FE FindFirstFileA,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02C46250 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetSystemInfo,
Source: C:\Users\user\Desktop\vnwareupdate.exeFile opened: C:\Documents and Settings\All Users\
Source: C:\Users\user\Desktop\vnwareupdate.exeFile opened: C:\Documents and Settings\All Users\Application Data\
Source: C:\Users\user\Desktop\vnwareupdate.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\
Source: C:\Users\user\Desktop\vnwareupdate.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\
Source: C:\Users\user\Desktop\vnwareupdate.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\
Source: C:\Users\user\Desktop\vnwareupdate.exeFile opened: C:\Documents and Settings\All Users\Application Data\Application Data\
Source: vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmpBinary or memory string: Check_VMWare_DeviceMap
Source: vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmpBinary or memory string: Check_VmTools
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpBinary or memory string: $v1 = "vmware" fullword ascii
Source: vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmpBinary or memory string: Check_Qemu_Description
Source: GZe6EcSTpO.exe, 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmpBinary or memory string: "C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=C:\Users\user\Desktop\Uninstall.exesmVath_DakotaxpTheme.tclluler.taskscheduler.pyde.pydx
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpBinary or memory string: .tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=q
Source: GZe6EcSTpO.exe, 00000000.00000002.225965765.000000000042C000.00000004.00020000.sdmpBinary or memory string: "C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=GhT1
Source: vnwareupdate.exe, 00000003.00000002.516989975.00000000021F1000.00000004.00000001.sdmpBinary or memory string: tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=
Source: vnwareupdate.exe, 00000003.00000002.522468680.00000000022F1000.00000004.00000001.sdmpBinary or memory string: antivm_vmware
Source: GZe6EcSTpO.exe, 00000000.00000002.226025578.0000000000470000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Users\user\Desktop\vnwareupdate.exe"C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBV\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=C:\Users\user\Desktop\vnwareupdate.exeWinsta0\Default=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\U\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\Users\userp
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpBinary or memory string: $v3 = "VMWVMCIHOSTDEV" fullword ascii
Source: vnwareupdate.exe, 00000003.00000002.516586653.00000000021E0000.00000004.00000040.sdmpBinary or memory string: C:\Users\user\Desktop\vnwareupdate.exe-rtNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=
Source: vnwareupdate.exe, 00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmpBinary or memory string: tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=q
Source: GZe6EcSTpO.exe, 00000000.00000002.225936254.000000000040A000.00000004.00020000.sdmpBinary or memory string: "C:\Users\user\Desktop\vnwareupdate.exe" -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_00401E98 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_00401A91 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_00401E98 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_02CFAD3E IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 5_2_02E0AD3E IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 8_2_02E6AD3E IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 9_2_02C6AD3E IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 10_2_02C5AD3E IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected Powershell download and executeShow sources
Source: Yara matchFile source: 00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1092'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1136'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1244'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1236'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1256'
Source: C:\Users\user\Desktop\vnwareupdate.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1300'
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeProcess created: C:\Users\user\Desktop\vnwareupdate.exe 'C:\Users\user\Desktop\vnwareupdate.exe' -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=
Source: vnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpBinary or memory string: DOF_PROGMAN
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\ad421c32-aaf8-4995-847c-18069215aace.md VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\ad421c32-aaf8-4995-847c-18069215aace.md VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\9703e260-d265-4332-8de3-4e5fab56a248.dll VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\9703e260-d265-4332-8de3-4e5fab56a248.dll VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\9703e260-d265-4332-8de3-4e5fab56a248.dll VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\status.log VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\00554e26-4141-4a67-98c4-9454bf8d1c70.dll VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\00554e26-4141-4a67-98c4-9454bf8d1c70.dll VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\2a5e15fa-fe3f-471c-b784-6a56e4aeac95.bin VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\fc38c7ee-ad18-4c74-a67c-9df763b1d8a4.bin VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\28f4fa56-e109-42e0-9d12-1e216cf1181f.bin VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\a6be3467-9cec-43b3-8e87-ded73d446923.bin VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\93d72046-08db-4412-ab52-b014148c1823.bin VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-filename-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\falsepositive-hashes.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeQueries volume information: C:\Users\user\Desktop\otx-hash-iocs.txt VolumeInformation
Source: C:\Users\user\Desktop\vnwareupdate.exeCode function: 3_2_00401DC8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
Source: C:\Users\user\Desktop\GZe6EcSTpO.exeCode function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\Desktop\vnwareupdate.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected Codoso GhostShow sources
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected GhostRatShow sources
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected MimikatzShow sources
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected Mini RATShow sources
Source: Yara matchFile source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Yara detected NukespedShow sources
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected PupyRATShow sources
Source: Yara matchFile source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected Quasar RATShow sources
Source: Yara matchFile source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected RevengeRATShow sources
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected WebMonitor RATShow sources
Source: Yara matchFile source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Remote Access Functionality:

barindex
Detected HawkEye RatShow sources
Source: vnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: \HawkEye_Keylogger_
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: rule MAL_HawkEye_Keylogger_Gen_Dec18_RID324D : DEMO GEN HKTL MAL T1056 T1113 {
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: rule HawkEye_Keylogger_Feb18_1_RID302C : DEMO EXE FILE MAL T1056 {
Detected Nanocore RatShow sources
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: $x2 = "NanoCore.ClientPluginHost" fullword ascii
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: $x1 = "NanoCore.ClientPluginHost" fullword ascii
Detected xRATShow sources
Source: vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: $x5 = "<description>My UAC Compatible application</description>" fullword ascii
Yara detected CobaltStrikeShow sources
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected Codoso GhostShow sources
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected GhostRatShow sources
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected Mini RATShow sources
Source: Yara matchFile source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Yara detected NukespedShow sources
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected PupyRATShow sources
Source: Yara matchFile source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected Quasar RATShow sources
Source: Yara matchFile source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected RevengeRATShow sources
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected Turla ComRAT XORKeyShow sources
Source: Yara matchFile source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY
Yara detected WebMonitor RATShow sources
Source: Yara matchFile source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: vnwareupdate.exe PID: 2540, type: MEMORY

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter1Path InterceptionAccess Token Manipulation1Masquerading1OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact2
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection12Virtualization/Sandbox Evasion1LSASS MemoryQuery Registry1Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothRemote Access Software3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationSystem Shutdown/Reboot1
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Access Token Manipulation1Security Account ManagerSecurity Software Discovery121SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationProxy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSVirtualization/Sandbox Evasion1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsFile and Directory Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncSystem Information Discovery16Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
GZe6EcSTpO.exe53%VirustotalBrowse
GZe6EcSTpO.exe42%ReversingLabsByteCode-MSIL.Spyware.Heye
GZe6EcSTpO.exe100%AviraBDS/Fynloski.hmjvc

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spfdNearly0%Avira URL Cloudsafe
https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.htmls/Operation0%Avira URL Cloudsafe
https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishinn0%Avira URL Cloudsafe
https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdfLegspin0%Avira URL Cloudsafe
https://www.blueliv.com0%Avira URL Cloudsafe
http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfHancitor0%Avira URL Cloudsafe
http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-insti:/Multiple0%Avira URL Cloudsafe
http://www.clearskysec.com/winnti/Recent0%Avira URL Cloudsafe
http://www.crysys.hu/miniduke/miniduke_indicators_public.pdfMiniduke0%Avira URL Cloudsafe
http://www.clearskysec.com/dustysky/0%Avira URL Cloudsafe
http://x.x.x/x.dll0%Avira URL Cloudsafe
http://pwc.blogs.com/files/cto-tib-20150223-01a.pdfSakula0%Avira URL Cloudsafe
http://www.intezer.com/another-distraction-new-version-north-korean-ransomware-h24A0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://goo.gl/joxXHFvnwareupdate.exe, 00000003.00000002.545077306.0000000003787000.00000004.00000001.sdmpfalse
    high
    https://www.alienvault.com/open-threat-ex/Operationvnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpfalse
      high
      http://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/Unveiling%20araHangovervnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpfalse
        high
        https://www.arbornetworks.com/blog/asert/dirtjumpers-ddos-engine-gets-a-tune-up-kCommunitiesvnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpfalse
          high
          http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spfdNearlyvnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdfpoOperationvnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmpfalse
            high
            http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/ScBankingvnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpfalse
              high
              https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.htThevnwareupdate.exe, 00000003.00000002.570079073.0000000004121000.00000004.00000001.sdmpfalse
                high
                http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeNwOperationvnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpfalse
                  high
                  https://asert.arbornetworks.com/uncovering-the-seven-pointed-dagger/vnwareupdate.exe, 00000003.00000003.232758250.0000000005F33000.00000004.00000001.sdmpfalse
                    high
                    https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdfStantinkovnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpfalse
                      high
                      http://news.asiaone.com/newsvnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmpfalse
                        high
                        http://phishme.com/disrupting-an-adware-serving-skype-botnet/vnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpfalse
                          high
                          https://www.proofpoint.com/us/threat-insight/post/Meet-GreenDispenservnwareupdate.exe, 00000003.00000003.232809431.0000000005F73000.00000004.00000001.sdmpfalse
                            high
                            http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-famiCommentvnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpfalse
                              high
                              http://www.welivesecurity.com/2015/04/09/operation-buhtrap/ROKRATvnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpfalse
                                high
                                https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-insidsOperationvnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpfalse
                                  high
                                  https://mymalwareparty.blogspot.co.uk/2017/07/operation-desert-eagle.htmls/Operationvnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://goo.gl/SGcS2HSymantecvnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpfalse
                                    high
                                    http://cyber.verint.com/nymaim-malware-variant/aAPT28vnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpfalse
                                      high
                                      https://goo.gl/rW1yvZvnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpfalse
                                        high
                                        https://cysinfo.com/malware-actors-using-nic-cyber-security-themed-spear-phishinnvnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://www.bluecoat.com/security-blog/2015-08-21/tinted-cve-decoy-spearphising-Spearphisingvnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpfalse
                                          high
                                          http://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intellige8vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpfalse
                                            high
                                            http://blog.cylance.com/spear-a-threat-actor-resurfacesThevnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpfalse
                                              high
                                              https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confuciuClDecipheringvnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpfalse
                                                high
                                                https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-tieseNewvnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpfalse
                                                  high
                                                  https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malw-Goldvnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpfalse
                                                    high
                                                    https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdfLegspinvnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    https://research.checkpoint.com/apt-attack-middle-east-big-bang/vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-custoChinesevnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpfalse
                                                        high
                                                        https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-pevnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://phishme.com/bolek-leaked-carberp-kbot-source-code-complicit-new-phishing-Bolek:vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpfalse
                                                            high
                                                            https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdvnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpfalse
                                                              high
                                                              https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHas.Operationvnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpfalse
                                                                high
                                                                https://goo.gl/7jGkpVvnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  http://blog.talosintelligence.com/2017/09/brazilbanking.htmlGlobevnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    http://www.welivesecurity.com/2016/07/12/nymaim-rides-2016-reaches-brazil/Reginvnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      https://www.blueliv.comvnwareupdate.exe, 00000003.00000003.234338719.0000000006073000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      http://www.aftana.ir/images/docs/files/000002/nf00002716-1.pdfHancitorvnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      unknown
                                                                      https://securelist.com/analysis/publications/69953/the-naikon-apt/Citadelvnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        http://phishme.com/disrupting-an-adware-serving-skype-botnet/Pushdovnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpfalse
                                                                          high
                                                                          http://2016.eicar.org/85-0-Download.htmlvnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpfalse
                                                                            high
                                                                            https://vms.drweb.com/virus/?_is=1&ampLinux.Proxy.10vnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237309639.0000000003707000.00000004.00000001.sdmpfalse
                                                                              high
                                                                              https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdfampAnalysisvnwareupdate.exe, 00000003.00000002.546099143.00000000037C7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpfalse
                                                                                high
                                                                                http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papeioOperationvnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpfalse
                                                                                  high
                                                                                  http://blogs.cisco.com/security/talos/malicious-pngs6b44c772bac7cc958b1b4535f02a584fc3a55377a3e7f4ccvnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpfalse
                                                                                    high
                                                                                    https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpfalse
                                                                                      high
                                                                                      http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discoversKorplugvnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpfalse
                                                                                        high
                                                                                        https://www.alienvault.com/blogs/labs-researcwrWannaCryvnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpfalse
                                                                                          high
                                                                                          http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malverNewvnwareupdate.exe, 00000003.00000002.544656700.0000000003747000.00000004.00000001.sdmpfalse
                                                                                            high
                                                                                            http://www.cyphort.com/multiple-malwares-used-to-target-an-asian-financial-insti:/Multiplevnwareupdate.exe, 00000003.00000002.557653688.0000000003E61000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            unknown
                                                                                            https://github.com/ptrrkssn/pnscanvnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpfalse
                                                                                              high
                                                                                              http://community.hpe.com/t5/Security-Research/9002-RAT-a-second-building-on-the-vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpfalse
                                                                                                high
                                                                                                https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apac9Vulnerabilitiesvnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpfalse
                                                                                                  high
                                                                                                  http://www.clearskysec.com/winnti/Recentvnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  unknown
                                                                                                  https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-speaLeviathan:vnwareupdate.exe, 00000003.00000003.234581767.0000000006173000.00000004.00000001.sdmpfalse
                                                                                                    high
                                                                                                    http://www.crysys.hu/miniduke/miniduke_indicators_public.pdfMinidukevnwareupdate.exe, 0000000A.00000003.287952784.00000000060E3000.00000004.00000001.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    unknown
                                                                                                    https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimatevnwareupdate.exe, 00000003.00000003.233888921.0000000005C33000.00000004.00000001.sdmpfalse
                                                                                                      high
                                                                                                      http://www.waseda.jp/navi/security/2017/0414.htmlCallistovnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpfalse
                                                                                                        high
                                                                                                        https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.htmlAPT32vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpfalse
                                                                                                          high
                                                                                                          http://www.clearskysec.com/dustysky/vnwareupdate.exe, 00000003.00000003.242880867.0000000003BE7000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          unknown
                                                                                                          http://blog.trendmicro.com/trendlabs-security-intelligence/lurk-retracing-five-y8vnwareupdate.exe, 00000003.00000002.567684552.0000000004061000.00000004.00000001.sdmpfalse
                                                                                                            high
                                                                                                            http://www.malware-traffic-analysis.net/2017/03/30/index2.htmlxCaonvnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpfalse
                                                                                                              high
                                                                                                              https://researchcenter.paloaltonetworks.com/2018/01/unit42-powerstager-analysis/4PowerStagervnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpfalse
                                                                                                                high
                                                                                                                http://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server-en/dDDG:vnwareupdate.exe, 00000003.00000002.539291516.0000000003621000.00000004.00000001.sdmpfalse
                                                                                                                  high
                                                                                                                  http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targetsvnwareupdate.exe, 00000003.00000003.233614213.0000000005D73000.00000004.00000001.sdmpfalse
                                                                                                                    high
                                                                                                                    https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PD1Truebot.Avnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpfalse
                                                                                                                      high
                                                                                                                      http://go.cybereason.com/rs/996-vnwareupdate.exe, 00000003.00000003.233668995.0000000005DB3000.00000004.00000001.sdmpfalse
                                                                                                                        high
                                                                                                                        https://www.symantec.com/security_response/writeup.jsp?docid=2018-021208-2435-99Ransom.ShurL0ckrvnwareupdate.exe, 00000003.00000003.234528386.0000000006133000.00000004.00000001.sdmpfalse
                                                                                                                          high
                                                                                                                          https://blogs.rsa.com/wp-content/Operationvnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpfalse
                                                                                                                            high
                                                                                                                            http://researchcenter.paloaltonetworks.com/2016/01/nettraveler-spear-phishing-emNetTravelervnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpfalse
                                                                                                                              high
                                                                                                                              https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfivnwareupdate.exe, 00000003.00000003.237651120.0000000003927000.00000004.00000001.sdmpfalse
                                                                                                                                high
                                                                                                                                http://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-aOperationvnwareupdate.exe, 00000003.00000002.539674279.0000000003681000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpfalse
                                                                                                                                  high
                                                                                                                                  http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/Spearvnwareupdate.exe, 00000003.00000002.569366992.00000000040E1000.00000004.00000001.sdmpfalse
                                                                                                                                    high
                                                                                                                                    http://x.x.x/x.dllvnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    unknown
                                                                                                                                    http://pwc.blogs.com/files/cto-tib-20150223-01a.pdfSakulavnwareupdate.exe, 00000003.00000002.527918576.0000000002831000.00000004.00000001.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    unknown
                                                                                                                                    https://www.bluecoat.com/security-blog/2015-04-09/visual-basic-script-malware-rePotentialvnwareupdate.exe, 00000003.00000003.234668873.00000000061F3000.00000004.00000001.sdmpfalse
                                                                                                                                      high
                                                                                                                                      https://www.arbornetworks.com/blog/asert/flokibot-invades-pos-trouble-brazil/vnwareupdate.exe, 00000003.00000003.234026973.0000000005B73000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000002.568465087.00000000040A1000.00000004.00000001.sdmpfalse
                                                                                                                                        high
                                                                                                                                        https://twitter.com/eyaBankingvnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpfalse
                                                                                                                                          high
                                                                                                                                          https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20RRSAvnwareupdate.exe, 00000003.00000002.543787913.0000000003707000.00000004.00000001.sdmpfalse
                                                                                                                                            high
                                                                                                                                            https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/vnwareupdate.exe, 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmpfalse
                                                                                                                                              high
                                                                                                                                              https://twitter.com/cyb3rops/status/1097423665472376832ASCSvnwareupdate.exe, 00000003.00000003.237491320.0000000003807000.00000004.00000001.sdmpfalse
                                                                                                                                                high
                                                                                                                                                http://www.intezer.com/another-distraction-new-version-north-korean-ransomware-h24Avnwareupdate.exe, 00000003.00000002.538970312.00000000035E1000.00000004.00000001.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                unknown
                                                                                                                                                https://objective-see.com/blog/blog_0x26.htmlvnwareupdate.exe, 00000003.00000003.237611046.00000000038E7000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.245916145.0000000003967000.00000004.00000001.sdmp, vnwareupdate.exe, 00000003.00000003.237713875.0000000003967000.00000004.00000001.sdmpfalse
                                                                                                                                                  high
                                                                                                                                                  http://blog.talosintelligence.com/2017/02/korean-maldoc.htmlCloudvnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    http://researchcenter.paloaltonetworks.com/2015/07/apt-group-ups-targets-us-govevnwareupdate.exe, 00000003.00000003.242436168.0000000003BA7000.00000004.00000001.sdmpfalse
                                                                                                                                                      high
                                                                                                                                                      http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blackD1Followingvnwareupdate.exe, 00000003.00000002.528939253.000000000297B000.00000004.00000001.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        https://www.welivesecurity.com/wp-content/uploads/2017/07/Stantinko.pdf.vnwareupdate.exe, 00000003.00000002.570785608.0000000004161000.00000004.00000001.sdmpfalse
                                                                                                                                                          high
                                                                                                                                                          https://www.riskiq.com/blog/labs/fake-flash-update-watering-hole-attack/vnwareupdate.exe, 00000003.00000003.245318104.0000000003B27000.00000004.00000001.sdmpfalse
                                                                                                                                                            high
                                                                                                                                                            https://twitter.com/0x766c6164/status/794176576011309056vnwareupdate.exe, 00000003.00000003.241595025.0000000005951000.00000004.00000001.sdmpfalse
                                                                                                                                                              high
                                                                                                                                                              https://goo.gl/t3uUTGvnwareupdate.exe, 00000014.00000003.479045359.00000000036D7000.00000004.00000001.sdmpfalse
                                                                                                                                                                high
                                                                                                                                                                https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDeBankshotvnwareupdate.exe, 00000003.00000003.237137501.0000000002B8E000.00000004.00000001.sdmpfalse
                                                                                                                                                                  high
                                                                                                                                                                  https://securelist.com/analysis/publications/69953/the-naikon-apt/vnwareupdate.exe, 00000003.00000003.241827224.0000000005711000.00000004.00000001.sdmpfalse
                                                                                                                                                                    high
                                                                                                                                                                    https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-atOilRigvnwareupdate.exe, 00000003.00000003.234630712.00000000061B3000.00000004.00000001.sdmpfalse
                                                                                                                                                                      high
                                                                                                                                                                      https://www.openssl.org/docs/faq.htmlvnwareupdate.exefalse
                                                                                                                                                                        high
                                                                                                                                                                        https://blogs.forcepoint.com/security-labs/ursnif-variant-found-using-mouse-move8vnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpfalse
                                                                                                                                                                          high
                                                                                                                                                                          https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-custoZEUSvnwareupdate.exe, 00000003.00000002.565870570.0000000003FE1000.00000004.00000001.sdmpfalse
                                                                                                                                                                            high
                                                                                                                                                                            http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sivnwareupdate.exe, 00000003.00000003.241572242.0000000005911000.00000004.00000001.sdmpfalse
                                                                                                                                                                              high
                                                                                                                                                                              http://research.zscaler.com/2016/01/there-goes-neighborhood-bad-actors-on.htmlTTherevnwareupdate.exe, 00000003.00000003.237183356.0000000002BCE000.00000004.00000001.sdmpfalse
                                                                                                                                                                                high

                                                                                                                                                                                Contacted IPs

                                                                                                                                                                                No contacted IP infos

                                                                                                                                                                                General Information

                                                                                                                                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                                                                                                                                Analysis ID:380813
                                                                                                                                                                                Start date:02.04.2021
                                                                                                                                                                                Start time:13:45:10
                                                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                                                Overall analysis duration:0h 15m 23s
                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                Report type:light
                                                                                                                                                                                Sample file name:GZe6EcSTpO (renamed file extension from none to exe)
                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                Number of analysed new started processes analysed:23
                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                                Technologies:
                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                • HDC enabled
                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                Classification:mal100.rans.troj.expl.evad.mine.winEXE@15/1031@0/0
                                                                                                                                                                                EGA Information:Failed
                                                                                                                                                                                HDC Information:
                                                                                                                                                                                • Successful, ratio: 100% (good quality ratio 95.8%)
                                                                                                                                                                                • Quality average: 84.5%
                                                                                                                                                                                • Quality standard deviation: 25.1%
                                                                                                                                                                                HCA Information:Failed
                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                • Adjust boot time
                                                                                                                                                                                • Enable AMSI
                                                                                                                                                                                Warnings:
                                                                                                                                                                                Show All
                                                                                                                                                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                                • Created / dropped Files have been reduced to 100
                                                                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                • Report size getting too big, too many NtWriteFile calls found.

                                                                                                                                                                                Simulations

                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                No simulations

                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                IPs

                                                                                                                                                                                No context

                                                                                                                                                                                Domains

                                                                                                                                                                                No context

                                                                                                                                                                                ASN

                                                                                                                                                                                No context

                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                No context

                                                                                                                                                                                Dropped Files

                                                                                                                                                                                No context

                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                C:\Users\user\Desktop\00554e26-4141-4a67-98c4-9454bf8d1c70.dll
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):814
                                                                                                                                                                                Entropy (8bit):5.9972119194817886
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:Lrir6LS7hRhOfHpQGxNrZ3dwrfBykIK1/2Gc:Lrir6LS79cVx1U/l1/23
                                                                                                                                                                                MD5:6D20AF695248EAF93481520F7E2DD3ED
                                                                                                                                                                                SHA1:6C796CD496159763A9FA6B3A9A4AEFA19290EA69
                                                                                                                                                                                SHA-256:A95295DAF42AB4AC347147E74F586FF9F66FCBC542ED9A47828C70E602963E02
                                                                                                                                                                                SHA-512:919FCE23EB522FC5DD96157BBE3ABBE8E9CF84E8333095E1A34D8EEE299462EDBEDA41D77B201E5BB2D2256CFBB9C785F8BF48C172F2F3A04F241BB902CEAD32
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Preview: -----BEGIN PUBLIC KEY-----..MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtwfqnAhISbHDPlUh8njL..ScFvJ/7vAxm/mOGmVNhAw+pX590rfkwPox0RjTFb6X/s+MTzH3nzw1eH1YWx8Q5/..aouuVGVy6whFYHIVKH1bAFQgJa8hLjTKoHdpwa6vpolwl02e7py2xPkskE26n/ry..IQlxCVr+A0aAJFR1doTtw2ry40TnPrNp5w8C/HcKBPeduCXBKlx7voc2rQCj+qz0..ysCBHy5HfI1fQsp0pFY3j9gLWvlrd2EMAMviorjxN3FA3qb/mMC7fN00dZdzDbEU..Me56T329vmBh1ZdD6m7G8qmQ9aSnX2ri1pwbEF0QIbAHEbBQtAU9+H8AUSPLcJ8Y..t2hxNEOhudCR4W8124YE0E7gNtgXCzwTd7xdqvKEx9I3dZr6+xMsd1k7qnwBoqDd..TWs0UFkVK8so63mb8wb3bUszVIxqH4GWoi7/BBkJ4dWfVX9xFlRQ7cGsC20VeNJ9..NqT1X6R98QudAzYoRHKfJ9g4VJmcMbsU7e0pIqG+mT4NFxXtywEcMbkeBzIHyl3n..QkRhzBbxW+X0p/bqiobsjlE6JTG6rDuD0TmuaX0rP5xPW0TsocpURllbxArmbwE6..Zt0WpT8SVlldwLBQfKD8oKMa5LDRJYTEc7+b108JM8M+S1oxsHcMaKinM3KxJn/z..CoFednKxtoKHrdKuTUEKNg0CAwEAAQ==..-----END PUBLIC KEY-----..
                                                                                                                                                                                C:\Users\user\Desktop\28f4fa56-e109-42e0-9d12-1e216cf1181f.bin
                                                                                                                                                                                Process:C:\Users\user\Desktop\vnwareupdate.exe
                                                                                                                                                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):686
                                                                                                                                                                                Entropy (8bit):5.950052331527314
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:M04wfibXi2jtURXWCYINWLxjlL+GzSu3Jj7gTwXVUmR4ccFxedz8zuMt:DLawYAKRN+sJjkTOL4czwzp
                                                                                                                                                                                MD5:D2DC890D420A752343B84777B2B15018
                                                                                                                                                                                SHA1:52693B5E57B270E90705BCEA61A1B8FD77702F9B
                                                                                                                                                                                SHA-256:6617AA8DC747A36F6F399485578202B60C12B4FDC66BB30A7411B3ECA5643D03
                                                                                                                                                                                SHA-512:78960DD4DB754FF901337E4F85E5D5296F4EB8BDB16563AAC604B6F31CA0B27FE46F8550F39D46D70B44A3994D727C41ED1C6208893A41F7C08730223F5C4618
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Preview: o2ZdDKvrIIh1iNx4pmOU3KhguTF8HHhpC01cy3aWvxLolIcpMSyvyVjRe+uwxbeQ5eOcuScOgjYCdEJe8F9U5IXz8W92wxcpMrDZ31fSYltvQFXjPK8itFWUqLj757FoMu5KRwB4X6rmI34wT2zrQMY29rHqC6Wf98cAmYkgHH7ob9PQ5GVIJ5crR5wG2gi9kQazbG+tPYqhqZhCAI1MS78XOHfMixBMZHrJaxzB9MF5kEu3b/3X0Qm9J2QBGPexW4f6qmaw12P1wK3UymrVJZBmBdvTQrzFS3IhLIvEejz+I9dcaQgCthKBxeupwe0oXf2qzDyjFNoKiaz9I/njnOiRr2LHyZhuR59ekdzG4gdSbKr15z+6rl/tVnr+G9gluQZi/EoUNCynRcj1tCqmf8/0QwC5DX0wP4dCrdNQQhKmDTCJ7uMzPK2KC378X8JcFN4nzDgmPRLq3rAgdCwrdeqC9iIRHoJuWwToLvqWq6KpURoiQmWw9sEMGS7FqLOMJFmt64Ojo53VV45DsPpRdW07s9tO75wuh99zHE/PEm9A5zrcXIMrkVthSLvh7pDl9yPY8uV6bDP2Nnj7HknQ3duRDgpOmIy7gPkLRfwVhUpfK1yMKtxJO2IMtByz5h2q77plZ6ns1EcAegaFsl4U2CKmxHZWWuCXBDOJhAwpubs=..
                                                                                                                                                                                C:\Users\user\Desktop\2a5e15fa-fe3f-471c-b784-6a56e4aeac95.bin
                                                                                                                                                                                Process:C:\Users\user\Desktop\vnwareupdate.exe
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):691
                                                                                                                                                                                Entropy (8bit):4.519576746002026
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:ToTbaQoT/CAoT7zPouQHbW8PouQQcCoyfQuq77oluZDqu7oXo28F/LIb:cg23XcZbUBRB0luZeuMYn/L2
                                                                                                                                                                                MD5:3C347E3891AD17A7A67D80E0CC4DED5F
                                                                                                                                                                                SHA1:F5597FF96A4F71C5E4FE3619D311D1010A8E4DAA
                                                                                                                                                                                SHA-256:7BCB4D39B18A2D4604A1CA09BDC67374C9363404D474335F7D4A6EA3A234A279
                                                                                                                                                                                SHA-512:C7CE4A795C5B2B8F7A92236ED968B33DD00980A79906D3A47AAFBCE49203F7446EB52A96E1D3DD34D11D1D3D8206B37E25D637999123590C77FF8DCDBC6D3954
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Preview: 2021-04-02 20:46:44.044000,2021-04-02 13:46:44.044000,INFO,main pid: 2540....2021-04-02 20:46:44.044000,2021-04-02 13:46:44.044000,INFO,manager pid: 4456....2021-04-02 20:46:44.044000,2021-04-02 13:46:44.044000,INFO,listener pid: 6352....2021-04-02 20:46:44.357000,2021-04-02 13:46:44.357000,INFO,['571345' [] ['192.168.2.3']]....2021-04-02 20:46:44.357000,2021-04-02 13:46:44.357000,INFO,mp_feeder_scan pid: 6404....2021-04-02 20:46:45.653000,2021-04-02 13:46:45.653000,INFO,mp_files_scan pid: 6432....2021-04-02 20:47:21.403000,2021-04-02 13:47:21.403000,INFO,mp_processes_scan pid: 7044....2021-04-02 20:47:26.747000,2021-04-02 13:47:26.747000,INFO,wait_for_work_to_finish pid: 5432....
                                                                                                                                                                                C:\Users\user\Desktop\93d72046-08db-4412-ab52-b014148c1823.bin
                                                                                                                                                                                Process:C:\Users\user\Desktop\vnwareupdate.exe
                                                                                                                                                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1054382
                                                                                                                                                                                Entropy (8bit):6.02122638951826
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:uBQPLeEdPue3mISdjmRjC1UyDMA5+6g2euETlF:iQDJWI6qMU0MfF
                                                                                                                                                                                MD5:F400F658228104294620A36C1979F81E
                                                                                                                                                                                SHA1:F833736D4C42729BC13D3EB41ABC478CE32D414D
                                                                                                                                                                                SHA-256:97331DFABA2BA81A43B307C57A05FEF8DEC372E5B553F3212CA9029C478AAB20
                                                                                                                                                                                SHA-512:BFD698A90A231B9899FF848297A6AD6C14C0355C8A67A194B51DB26BEE2667CF85B63A079B6E26DED5F69D9F991131A07963D0D62C6FFEB5F5DA78A7E1A42128
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Preview: ru3KNoo8nbHSDVCTlwcIDmLyFsx44KJF7q/+Tm++4wC2LYNymKdoxQXJ7mWraySOihjkyiuQ9XJHCL8sKWMMVb5wAIN2NNHuCOH5G7yhrKsV2ET/aOUNMduYk0/kbDAw6feYyn0EhNB88kzJTzmUHVrqmbb2XSxyNEjpRqd6wLPz7ClgKTS4P3d3tvvZ1/3VfL6Nkn2I5lqf2cTyOywxZi/0ex3SdSsZ3pOXLoaMCwOjylvYg4SBGK+mpPmDdBfFTznIhxmClXlKfC5llvla1FyyvN54xCp6o3BWnm5J/dH9Ud1LWi4Ek4gVZ3ynDsoUs2KliPbCqo2xZS/qeep9qoUxsyBCSmf15UTJ6JZw9JwnQ/cDuCk6umHJw/hAr3+aPA+m/idEDshhpRvfS8B9Im8EDk58vpj7Ej3mH9kWUcrwDOux2ZNRo7GYQTPjtCS8UGcQ5Jjir1aIvoJ7JsXpaMaCU09Pq1/CHnQAhmuUuEkBDlwTZfqKAvFVTEK6UhXPmt6UT3mHx6fTmcOoRHfq3skqTwTUY9vDYwuHOtW+BrM6zfVkgj11a9kqRST0vaOaSkwZ+MOtiWVh/fJH0imGvOCyVlGttV7AdjL7Twn1SXcTs90E22TChqdu2CTXD3cOgzeK+ICIQlLXBc9YNN+2arxbKv33wJWf7DDM0WUMywM=..BtFZkdOfhGKr1KFoDXSpVcPSiYUi6KiAL91fBI1Ze0R2UcGSlAVAoOt7fjg22VUd8XCMRrSvWXimOORQp6sDJQ+vazDC26DjFRHlaeGcOYlMt5rbC2kKgt/xzZfV5pSXSJyiX9skOX9khdi3+VPyvwweAhup/8+zFEVfNLqYm9vOpu7xU18GZSgp5fz2LQmaD8TWShVcaZj7Ff5/HNPAsDpeOAvC1p0SNlP+Zy4/r8iyUdTMF3gVAmhlvGh8i4BbgRvq+aCTSPTlAXpwdyLnZXbuTzmxYn9qdXY80txFu031ZEdVvzoP2GSwl/
                                                                                                                                                                                C:\Users\user\Desktop\9703e260-d265-4332-8de3-4e5fab56a248.dll
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3488
                                                                                                                                                                                Entropy (8bit):6.050623140531944
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:LrkTZeTyZFHDryrEomRniGrj3XliaIu0M4sSpmyY:HkATyZFPyrEtZiGrLXQaD1n+myY
                                                                                                                                                                                MD5:D10057E6A762943FEC8D994F307A2BA4
                                                                                                                                                                                SHA1:A2B5FEF2142D2614D3F438F11558F76935F7AD76
                                                                                                                                                                                SHA-256:637C38D56733FF1340A05E39CB9128CBFF0A64FF8D96201546C265E510EBE74F
                                                                                                                                                                                SHA-512:521EC66C4CF0EEE8A3A75A6D66C2AF28050A69376B5B2B77987945DC3622A73F7E65876A3C2316C7F205BC0DCB8CAD349CE884FE25C32C7FFEB777307E5FB5A1
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Preview: -----BEGIN ENCRYPTED PRIVATE KEY-----..MIIJrTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQICvND+qa8mnkCAggA..MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBA+TpkqSmbnMbyQAnE+kvsLBIIJ..UCmgpB95E6g9kmV5Ohd9eAbkxoKpEJ1bL00tgfPRX3/fqGmCGZjVT2LoVGpUg7pQ..5jD1ToAtSYjQu0LBlL4WCxPSzdLSN1yQxVGg0xzgqnT6jUqb7RiLZCMMEWkIeSui..O8RwsWJ9ir+BAD2eHHFTOQbzaJ2jAu24jVVZz4hiSKA9qiCjkwJqtUNJzwpEPhlL..ReomA8C7qPrUh8LSDKPTmeQoVOFwoEnh9Q8lzuOPczd/JIAMDejA5EcWCumIA0AD..HnFcm51YzzL+AwmYu7/2heDN3lh5F8VdCtRwu+A5i38D1sq5Kkv0vKKH0PdQ+7Ar..ETMv1MD6wq/7nXY6Z63wG+0La5xAfwomQ/4NQ5NIgkoSHFsCmgCKs1sUcObcuzfj..v1QXUnqpzdwxGrZWCLxQNqLUf51XrQ826kilQv+BA3VujnA4k6c+9Y950S1C7oT+..kIwDPcg+V9Xjom9yGSg0LaHSBeP9MLVs0ldJzO/yKJ0RdrotAXiVViUDBeV7chGs..Y3aEyYhn7VBGUAQ+Bk5joKlJucIU2Vmewh75RfjbD7UwsmuZvd1Faf175eESvU/v..xKB5JmgmhjfOSjgO5w1jjZDypqi4GXStKmETdLpAlg4hhcmNN4tPh0SZ5ejqaNK7..2vlA1RI5lmH9CiEIfhKkgt0VBdoKxnKWALnvelo19w7Xl9npJG90zusM2dFOxmpi..AYmCZgiLXkuJpJ15pvQEFXFOwHP2SWErRmW43iVIWspc+pLrNWsRL/3CukLPRipg..z6Juuazq+tGcT1qdx+kS7NVRL5NU8jWMLuYPx
                                                                                                                                                                                C:\Users\user\Desktop\MSVCR90.dll
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):653952
                                                                                                                                                                                Entropy (8bit):6.885961951552677
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:5hr4UC+Ju/A0BI4yWkoGKJwZ9axKmhYTMAO7wFKjCUmRyyPe:9JfyZFGKJjxKmhSMAB6CUmRyyPe
                                                                                                                                                                                MD5:11D49148A302DE4104DED6A92B78B0ED
                                                                                                                                                                                SHA1:FD58A091B39ED52611ADE20A782EF58AC33012AF
                                                                                                                                                                                SHA-256:CEB0947D898BC2A55A50F092F5ED3F7BE64AC1CD4661022EEFD3EDD4029213B0
                                                                                                                                                                                SHA-512:FDC43B3EE38F7BEB2375C953A29DB8BCF66B73B78CCC04B147E26108F3B650C0A431B276853BB8E08167D34A8CC9C6B7918DAEF9EBC0A4833B1534C5AFAC75E4
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L.....i[...........!.....\..........@-.......p....Rx.........................0......?T....@..............................|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\Microsoft.VC90.CRT.manifest
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):414
                                                                                                                                                                                Entropy (8bit):5.277228517582997
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:TMHdt4vO5mSN4d6F+MHFVIogVW/AnpNnUvz:2dt4WlN44F+KIogAAn3G
                                                                                                                                                                                MD5:D6D3CC1C61F96101FC2E1E1CAC20462E
                                                                                                                                                                                SHA1:2C92803EFF07CA4CBBE02974871806E2006D51BB
                                                                                                                                                                                SHA-256:0135463F733FC4CBC5AB6C3A0F1A8BA55478E670DB1C33B4C4B9F7F67664DD81
                                                                                                                                                                                SHA-512:AE1C366B344E31392D05E50A487790A27760A8B527558F77A4B144D12606563C01F71D505F56B25C73E3FE89701FD3CDC2D464442D7E4FF01C06D7C9566FFD14
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">..<noInheritable/>..<assemblyIdentity.. type="win32".. name="Microsoft.VC90.CRT".. version="9.0.21022.8".. processorArchitecture="x86".. publicKeyToken="1fc8b3b9a1e18e3b"/>..<file name="MSVCR90.DLL"/>..<file name="MSVCM90.DLL"/>..<file name="MSVCP90.DLL"/>..</assembly>
                                                                                                                                                                                C:\Users\user\Desktop\a6be3467-9cec-43b3-8e87-ded73d446923.bin
                                                                                                                                                                                Process:C:\Users\user\Desktop\vnwareupdate.exe
                                                                                                                                                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):686
                                                                                                                                                                                Entropy (8bit):5.948642917024559
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:gdQmnMuM5lHnpkvqaLXvvQwvEaBcU1F3LpraIqfjphSTOgmOBRZQWVV:g2OM5lHpkvqyQw8aBhf3LpGvpjOBRNVV
                                                                                                                                                                                MD5:2B5E17FE5E3CF77017F3529B78A5DE5E
                                                                                                                                                                                SHA1:E9B36FD4376198A13932C6C86B9BC331524EBD2E
                                                                                                                                                                                SHA-256:3DADCDEDC430D45B1D18D23EF0BAA5E1FDB34A9CF67FF298B553C03AA48AB143
                                                                                                                                                                                SHA-512:4BF64767EF6C16B147E79B54A4F30A168FC53BCB959D2483C51693F693BD79D7B42C365719B6FD601EDFAAA5B9CC0267D69A18A7BF41698F488E6BEC735AD1AE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Preview: knDCN3InDFf/1ehqc0f5TdxjCF9HA8MEFic/VICquMdDfFh4o+xbTBoEhhD+Vce9d2HLxICtTdPjclOx+eykDPdAWbloO6KI912yeJIewSkBuxRl/dxjfIY9xoNmxzHSohoCypQKHj8dB38GVy42/QDVpZlA38nrhkElNrvbmwjht6Q7OwU+CALpBa/zdsJkpdPNUOYJqmOqFZkpuYrPl0etDg+yu/0vonQd6gBx+blABK27NE3p2eBkQTxYATvyT1/18fIHkKbXUxQv/5JRATNfjesB6EjabIRXlgtH3jCQbdIWT36hyO7iqoQ/S7+0R+ig4idCoI51IYU3jj0uL+jGZ30DBkruM37qNbJI96MvUjKl19wkctYsK9AeTK0h57V7DBCjNejOcbl07prxlF+ZBScnO7Zbc2XEcYpUuddttHEIUedIexPeUdNCd5qzWDEKQSXzMZ1sNrRhQ+NWjyrAobBWfiQRcZopvYMr/BiKof7Lnm5VTsm6v1UZ8LRzLVPs9MsRttLkm9oqaIpHBnw4lrAwowQQrgv/e+1xsPp9ypXwIRfy2iEh1HLIKykt+XPNNnmLHzOcBUj4tvhBkljn4oTSo5Wt64GryANxen4KJODIK5wZpkO+xWGeiurYpi0cMbV1HoDpCAQ5mHsI+vaWKl73G4BqMAkWSeYCPbY=..
                                                                                                                                                                                C:\Users\user\Desktop\ad421c32-aaf8-4995-847c-18069215aace.md
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2604480
                                                                                                                                                                                Entropy (8bit):5.999984131582419
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:AZy+mbvx1IsHprFk6UrinnWmy9axyH1/4u:E
                                                                                                                                                                                MD5:3B90178050DED0678B4DAD0A767E5350
                                                                                                                                                                                SHA1:7B6E73D20984A7BBA4FDA9AFE44BC196F50B9E57
                                                                                                                                                                                SHA-256:8F83C493D8F965B1A8FAC98E9D889F6870BC1199B8ECF1DEDE57904F3E5B4CF3
                                                                                                                                                                                SHA-512:9E14127DF76B5A5A2B9961F8DCA6B26693AD30E9EAADF7446ACA9B647CC450AC2C6BA249EAD7586DBE15188794FC83255BE55F99814A5FBBF1E6DE8A8C88DD7E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Preview: K6CpTPCvfyIK6zsxaY9lU05OmQpRqalV55u47++IJZndzNNl7rDltohRzccApRrLigVzcswwKNzonXCI2mhi+5lUO+Znr/MpBZO3SEP8Wn5DRJ7fBiNEYdrqQ74bQm8Vkq3Zv0a06EP27v9yU5mSRQ9LD5sJG35YobWzSzzUEk9DM/etOUKuQFkwSFqqKP5iyMjHH+PQ76xe5FMVCQ2kGJENxGGhlZLktLcGjpHyyzdtt8RYkX3SLPUi78CrlV88KZrp7QEzp9hXCDwYLdj771q/Ha0dwlN6XJv2E7lFvH2auOQg0U6mL201mHiQoFVR+fZ5f8I9hBmm7EJssHP3429lGSwm3Eiiq0IEgBGaXLRHoy6PQBY9fZA+CpeZ9JVj2a27IOMH8kVXUEbSgFVcAl5VXBbKeCK9RILL87sqAjVcXWWU65nIev67JN9JxlI3D9gk23/gRqEC9Q192PQ8d5/vYOgNiJNx6BMIgcMeqF4fnAnAkZgJNsYBGmxZwnEcNC4ew2XpBXfvLgY8q3pC0U8i9vjTB1n2uhHaAgByBFXJt0BZEmt+0mNdMcgX/gldafLoIZw+5FIoM1ocIYc0cW53NTPPebHbbynwrmbAdFZjjzKKBFD1Y90RCewh9WqhiY1/xd8Kcu6spFeGO3Md76EzXOTllZ77dBtSvc8mjvAVJdCp13j80yGL+qqHalBGE4pHFvt6DLq2xs3M67+MLfeCSUIXNXvca6FoDNVgrjNthp6h7rSiqB4eEm/uNrtZ4LguNA93kg3Q+FwNgw7V14sQykN9G1XbXZOYMUSSERxcItqusP3yVOlGfGPABOyamAwsMworxiC8UtrEy/jjh+bzGoPmQ1LFqBIYUTxrPC8YaXrCcCUMtFa0RY84T1uhiQuXVLim11S/lSnBmbKb0h70kOXeqcaW0hwwxBVLZE8ME5KLhwGfovooeIGiT770Hx1a+2JcUrWNI+J0FKbcPKjvktKAhBbWKvpReqA5
                                                                                                                                                                                C:\Users\user\Desktop\c2-iocs.txt
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):96295
                                                                                                                                                                                Entropy (8bit):5.159510685896611
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:N2tqRJgtt7AF+L6uRYPQT9HPR4MV7/VUg:ktq4t2YGDQTh51xOg
                                                                                                                                                                                MD5:B4C61F0E08EA7B7F1C4D666DF65A9004
                                                                                                                                                                                SHA1:6FB571CC2D826727109E6CCFF91EE8C91C81A372
                                                                                                                                                                                SHA-256:2EDEC291BFB6CE4ECACBB75FCB79C6B0021B7F61E38680966B465C2976B24B23
                                                                                                                                                                                SHA-512:58A2306E878CE023AA541F3F177D9B062BC06DA14757339D046094CBAE0529EED77C25570274A1847F03B5DF3AB4BC9B16D1BC575FDB2F98EACC885B960F38BF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                • Rule: APT10_Malware_Sample_Gen, Description: APT 10 / Cloud Hopper malware campaign, Source: C:\Users\user\Desktop\c2-iocs.txt, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_DeputyDog_Fexel, Description: unknown, Source: C:\Users\user\Desktop\c2-iocs.txt, Author: ThreatConnect Intelligence Research Team
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Preview: #.# LOKI C2 IOCs.# This file contains C2 server and decription.#.# FORMAT -----------------------------------------------------------------------.#.# C2;COMMENT.#.# EXAMPLES ---------------------------------------------------------------------.#.# 112.22.33.234;APT Case XYZ http://url.com/12345.# evildomain.info;AV company report XYZ http://web.url/..suroot.com;FireEye Operation Snowman https://goo.gl/x1v7mT.58.64.143.244;FireEye Operation Snowman https://goo.gl/x1v7mT.effers.com;FireEye Operation Snowman https://goo.gl/x1v7mT.118.99.60.142;FireEye Operation Snowman https://goo.gl/x1v7mT.58.64.200.178;FireEye Operation Snowman https://goo.gl/x1v7mT.58.64.200.179;FireEye Operation Snowman https://goo.gl/x1v7mT.103.20.192.4;FireEye Operation Snowman https://goo.gl/x1v7mT.58.64.199.22;FireEye Operation Snowman https://goo.gl/x1v7mT.58.64.199.25;FireEye Operation Snowman https://goo.gl/x1v7mT.180.150.228.102;FireEye Operation Snowman https://goo.gl/x1v7mT.111.118.21.105;FireEye Operation S
                                                                                                                                                                                C:\Users\user\Desktop\falsepositive-hashes.txt
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2968
                                                                                                                                                                                Entropy (8bit):5.2399125809736065
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:dR0u9dcnZJqS9zTedSm6/Rz63e02pHjRO93+eo16a49u9KJ9u9TW89nKgWIfLT4V:bXcnZwS9zTedSX/V6O0o1o3Xo16a49uc
                                                                                                                                                                                MD5:FF0023420D9138B6F67E775B24DCAE29
                                                                                                                                                                                SHA1:C87C024BC7CFA009B9F63952FF82508043B31E3F
                                                                                                                                                                                SHA-256:6A55C0D4ABEB777B6B6E042004BC13365EAD2A2483998D891B2E767947C6B99F
                                                                                                                                                                                SHA-512:8612DFDC4A417438F70821072B582FB5C1F3A7F1E79A569BA3CA518BB49262160DCC03463289C74104046B59ACE86406D452F5B0E9A433EB4B4322F47BBA44BC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Reputation:low
                                                                                                                                                                                Preview: #.# LOKI CUSTOM FALSE POSITIVE HASHES.# This file contains MD5, SHA1 and SHA256 hashes and a short info like file name.# or hash origin.#.# FORMAT -----------------------------------------------------------------------.#.# MD5;COMMENT.# SHA1;COMMENT.# SHA256;COMMENT.#..5cfbe1fb8df52bfba6d021319b0da899;Yara Rules of v0.2.6e5ebbc8b70c1d593634daf0c190deadfda18c3cbc8f552a76f156f3869ef05b;REGIN False Positive - Microsoft USB Scanner Driver.7565e7de9532c75b3a16e3ed0103bc092dbca63c6bdc19053dfef01250029e59;REGIN False Positive - NSRL listed.a26db2eb9f3e2509b4eba949db97595cc32332d9321df68283bfc102e66d766f;REGIN False Positive - Windows Serial Driver.18cd54d163c9c5f16e824d13c411e21fd7616d34e9f1cf2adcbf869ed6aeeed4;REGIN False Positive - CD Tower Web Client.0099940a366b401f30faaf820f4815083778383a2b1e9fab58e16d10b8965e3f;REGIN False Positive - USB Scanner Driver.b04a85ef2edbc5ac7b312e9d57b533d9d355d0c7cbbd24a8085c6873baf9411f;REGIN False Positive - SCSI Driver Windows.581730d7cce49af90efad5f904ce
                                                                                                                                                                                C:\Users\user\Desktop\fc38c7ee-ad18-4c74-a67c-9df763b1d8a4.bin
                                                                                                                                                                                Process:C:\Users\user\Desktop\vnwareupdate.exe
                                                                                                                                                                                File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):686
                                                                                                                                                                                Entropy (8bit):5.950460110681684
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:e1H/GUUWp2aiU09T90o107W0mGMSNNAMpeYNSf5SGJC/:exhpv0oo10C0m7SN6MbNSf57k/
                                                                                                                                                                                MD5:31FDBFD635834D7716A5066A718778D7
                                                                                                                                                                                SHA1:8930FFC35E78A225C383FE9156F49618ACBCD8A5
                                                                                                                                                                                SHA-256:8A7FF0C2FCADC00B06FC8E263E448252B592CE8C57D39D0BCEF1D40B6174603E
                                                                                                                                                                                SHA-512:052702651D1D6770C47A863691BB9DEE75D572F79D080DE4D1EF668F168420C5C2AD8EB4CE13045689FB39DE005BDE59A82EC66F636E70BF9988252FBD28BCBA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: cuuMDpgVgEFyHxXeO0SHFbmPWWiRG+z2UeG8BEhhiwLv5o6hzuA7fpfwbciz0gHrvSEgduxKcSaXAovh4EKMSgNHd+9B4U9Y+kOwB7rclgg7jyOLIIllsS7S397VFIhgOE+QN4qFXW14iXaq9n0HtdSoRaqNvTxeUDhk1DNn3dupz8KzISp1KYsOusAjRQg9ttb9lYHj81qWTmz69ekDLkPL0jwu5aGVWVNdZ9vM4BwJ2z8dnuQ3mjZuuUon0d/V7T2B/DYbqo1aBr2v6H+A+pE2U5jvDIl9MDjM8A4HlwWCRO+hsulNDuNAbCMrnnm6jYjnwQL+lQHHRjkqtkQai1si/ZPUlC6zbY72Vcj+7CDEGW6UHZMtpAZal6+0r+rbvTVOva6aBvhDkGASktSrDO/HwJzrqSoQs1XIiw9QC5j4DV1rjCFuYRUSzrDSyx3+U79E7DhhkA6WSIToErpHDVnfT1mau6PkRCCWtclejJrtPrtlX4UJdeMTLoJlrKtCryBsnwkFYXf7JQc1sd4Lg8ptxmM4jheEEJIyfTakt9YMLfZrMvTzkgufD4yhdu4STpkP624f5BmK+EDXtvaBCStHod6JuhTwUxiyvpedioXVE64b0nh2k3jyYzwPp4ydTEXTICM9mJvFQBtt4/QFwayFy10Oit74p0KF2r0XXL0=..
                                                                                                                                                                                C:\Users\user\Desktop\filename-iocs.txt
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):75114
                                                                                                                                                                                Entropy (8bit):5.201861904999131
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:u3q4hyhojg9zWqHJv1uENxnZAoBeV17MXgz1v+8MdOSPYiUlKzS2:u3qGyhyg9zBxZAieV17vm8MdrYiUlC
                                                                                                                                                                                MD5:34189DD9F0D63FAB85E95BEE7E5B7AAB
                                                                                                                                                                                SHA1:0FF070F560CA11B79B02AC66880683F543343EB8
                                                                                                                                                                                SHA-256:3856DF85CA14EC8A231329BD69F76062E795A1B94DE37FDD52B1B66C34B857F2
                                                                                                                                                                                SHA-512:84F2DCE9814931B98AF62662031AEC9D7489297B39610F65E0CB73533355310F8C9938613DB08CC36B5C69C468FBD423A61799CA89043C744AE266CA01A46C5A
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                • Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: C:\Users\user\Desktop\filename-iocs.txt, Author: Florian Roth
                                                                                                                                                                                Preview: #.# LOKI File Name Characteristics.# This file contains regex definitions and a description.#.# APPLICATION ------------------------------------------------------------------.#.# Every line is treated as REGEX case sensitive..# Every line includes a description that gives information about the file name.# based IOC.#.# FORMAT -----------------------------------------------------------------------.#.# # COMMENT.# REGEX;SCORE.#.# EXAMPLES ---------------------------------------------------------------------.#.# # Various examples from APT case X.# \\svcsstat\.exe;70.# \\(server|servisces|smrr|srrm|svchost|svhost|svshost|taskmrg)\.exe$;50.# ProgramData\\Mail\\MailAg\\;80.# (Anwendungsdaten|Application Data|APPDATA)\\sydmain\.dll;80.# (TEMP|Temp)\\[^\\]+\.(xmd|yls)$;80.# (LOCAL SETTINGS\\Temp|Local Settings\\Temp|Local\\Temp)\\(word\.exe|winword\.exe)[^\.];80.#..# Ncat Example.# bin\\nc\.exe;80..# Regin.\\usbclass\.sys;80.\\adpu160\.sys;80.\\msrdc64\.dat;80.\\msdcsvc\.dat;80.\\config\\Syst
                                                                                                                                                                                C:\Users\user\Desktop\hash-iocs.txt
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):855930
                                                                                                                                                                                Entropy (8bit):5.458099249789609
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:2ekpoVVvb8NjyKsolE5qfEoWbBCjKIa/8aFxaLKDKCS+8ROz/HQ0ZwVtkPY39Qzo:Xk6HG2CLuDeoQFCcJ8veldwylU8uPjAJ
                                                                                                                                                                                MD5:76E89878C4F41E670998F71AFAE68794
                                                                                                                                                                                SHA1:634982643E7986C4DAB1C794B901CAACD953CD1B
                                                                                                                                                                                SHA-256:20E0D4605308113981AEF044F7835EE07A3D099E0AA486245913EBD4123503F4
                                                                                                                                                                                SHA-512:F356F5DC2E41D0C0984F818D5C23F309F12176232B23B6E9F1D86A9CEAF2D07CD6EBAF1DA647FC590B62587BA94AFAB2848462333BAEF42EBA091D3F120B3A12
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                • Rule: EquationDrug_HDDSSD_Op, Description: EquationDrug - HDD/SSD firmware operation - nls_933w.dll, Source: C:\Users\user\Desktop\hash-iocs.txt, Author: Florian Roth @4nc4p
                                                                                                                                                                                Preview: #.# LOKI CUSTOM EVIL HASHES.# This file contains MD5, SHA1 and SHA256 hashes and a short info like file name.# or hash origin.#.# FORMAT -----------------------------------------------------------------------.#.# MD5;COMMENT.# SHA1;COMMENT.# SHA256;COMMENT.#.# EXAMPLES ---------------------------------------------------------------------.#.# 0c2674c3a97c53082187d930efb645c2;DEEP PANDA Sakula Malware - http://goo.gl/R3e6eG.# 000c907d39924de62b5891f8d0e03116;The Darkhotel APT http://goo.gl/DuS7WS.# c03318cb12b827c03d556c8747b1e323225df97bdc4258c2756b0d6a4fd52b47;Operation SMN Hashes http://goo.gl/bfmF8B - Zxshell..# 563d1512178cec1f6a73c98d565c98fa;Cygwin nc.exe example..4fef5e34143e646dbf9907c4374276f5;securelist.com https://goo.gl/nkbFwv.5bef35496fcbdbe841c82f4d1ab8b7c2;securelist.com https://goo.gl/nkbFwv.775a0631fb8229b2aa3d7621427085ad;securelist.com https://goo.gl/nkbFwv.7bf2b57f2a205768755c07f238fb32cc;securelist.com https://goo.gl/nkbFwv.7f7ccaa16fb15eb1c7399d422f8363e8;securelis
                                                                                                                                                                                C:\Users\user\Desktop\keywords.txt
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):739
                                                                                                                                                                                Entropy (8bit):5.227572484598896
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:3rSUOGmHM4XS+U48FyvZeG/VMLZ2RdnbmD0KARKzg9ZI6t9O9LaVk3JK0JKZscM0:7SQDkNgUvwaa0bM0KARKc2629r5KwKg0
                                                                                                                                                                                MD5:5E2BCBBEC755105C02FBB19152BE6F48
                                                                                                                                                                                SHA1:22B846AEEE64AC9A65DF252B5E9F68F313FDD00A
                                                                                                                                                                                SHA-256:E3D3B0D09250B10302A952344AF4FE31DABA257DAE261F02D50F65D51ED31CDB
                                                                                                                                                                                SHA-512:6366D794E379B127F2D294F01291B4FA84DC2B10EEA500E2AB303241AE10555990E30DAD40145EE124DD11B3ECA9E467E8DFF9B02D164D36C0DBFAC25B326C5D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                • Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: C:\Users\user\Desktop\keywords.txt, Author: Florian Roth
                                                                                                                                                                                Preview: # MALICIOUS KEYWORDS.#.# Subset of keywords from THOR APT Scanner..# Password Dumper.WCESERVICE.WCE_SERVICE.WCE SERVICE..# Mimikatz.eo.oe.kiwi.<3 eo.oe.mimilib.mimikatz.Mimikatz.privilege::debug.sekurlsa::LogonPasswords.sekurlsa::logonpasswords..# Metasploit.meterpreter.METERPRETER..# Metasploit PsExec.%COMSPEC% /C start %COMSPEC% /C \\WINDOWS\\Temp..# Malicious keywords.spoofing.keylogger.powersploit.passdumper.creddumper.credentialdumper.XScanPF..# Javascript Windows Scripting Host - Suspicious - see http://goo.gl/6HRCbk.wscript.exe /b /nologo /E:javascript..# Java Deserialisation Exploit Tools.yoserial-0...# Powersploit.Powersploit..# Powershell Mimikatz https://adsecurity.org/?p=2604.Invoke-Mimikatz..# Don't remove this line.
                                                                                                                                                                                C:\Users\user\Desktop\lib\MSVCR90.dll
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):653952
                                                                                                                                                                                Entropy (8bit):6.885961951552677
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:5hr4UC+Ju/A0BI4yWkoGKJwZ9axKmhYTMAO7wFKjCUmRyyPe:9JfyZFGKJjxKmhSMAB6CUmRyyPe
                                                                                                                                                                                MD5:11D49148A302DE4104DED6A92B78B0ED
                                                                                                                                                                                SHA1:FD58A091B39ED52611ADE20A782EF58AC33012AF
                                                                                                                                                                                SHA-256:CEB0947D898BC2A55A50F092F5ED3F7BE64AC1CD4661022EEFD3EDD4029213B0
                                                                                                                                                                                SHA-512:FDC43B3EE38F7BEB2375C953A29DB8BCF66B73B78CCC04B147E26108F3B650C0A431B276853BB8E08167D34A8CC9C6B7918DAEF9EBC0A4833B1534C5AFAC75E4
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................6.........!.R...7.....&.....0.....6.....3...Rich..........PE..L.....i[...........!.....\..........@-.......p....Rx.........................0......?T....@..............................|..P...(................................3......................................@............................................text...t[.......\.................. ..`.data....g...p...D...`..............@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\_cffi_backend.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):131072
                                                                                                                                                                                Entropy (8bit):6.601564686857406
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:4CBNYJ0ZkOiCl+VwTFPJoUCgd9gxOVessPhRbieiuy:zYJ3Op+2TF8gLgxONsPhRh
                                                                                                                                                                                MD5:891FB059049987C6CF148F4B93CDA09F
                                                                                                                                                                                SHA1:5A154EDE87B7A72556F46E63CB65B794BC200F52
                                                                                                                                                                                SHA-256:DD673ED74E624384C8C9541A799844C0BA95E81C1F67C51971433C7223B6C616
                                                                                                                                                                                SHA-512:FF4CC9F33B38BD6AF51141C93EE988BB139743E8D2E5BE956B971B20B350B7248DB9FDD3E83414A92EA5377D4ABD8B77F362D7889BF3DC31185D76B90AC19807
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.............[.~..v.X.x..v.I.}..v.^.v........v.N.l..v._.~..v.\.~..Rich...........PE..L...Y..\...........!.....,...........5.......@...............................0......................................p]..V....H..d...................................................................8G..@............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...0....`.......N..............@....reloc..>...........................@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\_ctypes.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):92672
                                                                                                                                                                                Entropy (8bit):6.493969841565178
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:GSNT2se8WJAILpo+Wq0jKjLA4Yk9R/EcV4jnzWUthPIDu:pzWJAYppWn2A4f/PV4jniU7Yu
                                                                                                                                                                                MD5:7896F2B2B44A6DC7F8021C142339CE07
                                                                                                                                                                                SHA1:405319ED78E81800D54B1BFDA6198D7AF006220C
                                                                                                                                                                                SHA-256:DA6F2A24EE007F2BA49B120F6253E2030563093B6ABD4514BF81F7F2326AC96A
                                                                                                                                                                                SHA-512:7DC69FC771633F2E3864E5630FC3CD8CF01CB0ABE24085FBFFB4D91BE705D5A4BD9E65032AC120FCB13EEF489F825F3BF3FD5C447480FCEA39EE1DFBEAEB7D5C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................F......W......P......@.......W....Z......A......B....Rich...........PE..L.....|\...........!.........~......\.....................................................@.........................P@......l+..x...................................................................@*..@...............x............................text............................... ..`.rdata...@.......B..................@..@.data...l"...P... ...2..............@....reloc...............R..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\_hashlib.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1096192
                                                                                                                                                                                Entropy (8bit):6.877596116149514
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:eIPXuC7npUm98O4vfcK+b7NF0oTZEGsN+KpP9e2hKgpSeKMzvZ1J:ztpU44vfLOEG4DZpSrOvZ1J
                                                                                                                                                                                MD5:AE0EF46BC3A52A92544B6FACAB0F32A1
                                                                                                                                                                                SHA1:4065DFD80C8725F08C9AD75303BC40702C14F6EC
                                                                                                                                                                                SHA-256:61372337FE96D67F92BCB44E6FAEEFB7FE404A326F819EA33E27D33DB98226F5
                                                                                                                                                                                SHA-512:98BBDD3AE5C473D1B145E8E50B438541430CE623809B2C2284E8E6E819B20967472B7DDB2541B4FFD178EA63C333003B97FA1C9FB96CD0073A2DD492905C4D73
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FX.Z.9...9...9...A...9...A...9...A...9...A...9...9...9...9...9...A...8...A...9...A...9..Rich.9..........PE..L.....|\...........!.....Z...........^.......p............................................@.............................L....................................`..(...pr..............................p...@............p..P............................text...WY.......Z.................. ..`.rdata...]...p...^...^..............@..@.data...a........T..................@....reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\_multiprocessing.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):27648
                                                                                                                                                                                Entropy (8bit):6.280168209233203
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:3EGWtVe6k5bBI8If+/iknYsiAzK0GSoY2Nfg0ttJ3Gbqsu1j9DG5XCM6nM:3Efe35bBJHA4Krhf5kU9ShCM
                                                                                                                                                                                MD5:D675D1F065D2A22EC122375BF8069C1B
                                                                                                                                                                                SHA1:499A53A5767313321CDB8E6D8C5220484841A3E2
                                                                                                                                                                                SHA-256:1B9E81143AADA184ECDA900B93CFFE4A4BBD6820CA4F6D7F32EB46A000B66099
                                                                                                                                                                                SHA-512:2460BB082F54E25327D51C91113C27EE260ACD526E51188A14BFEEC54769E7969979677561A69A68D2C7EFD242ECEC8C48BB830AB5FA718BB9CD53BDF2225D60
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I...........2.....1.....'..... .....z...7.....-.....6.....5...Rich..................PE..L.....|\...........!.....:...0.......B.......P............................................@..........................i..\....^..d....................................R..............................`]..@............P...............................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data........p.......X..............@....reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\_socket.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):46592
                                                                                                                                                                                Entropy (8bit):6.535193648666847
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:uRgfS9emPOtFVL+KHvjEG5RqFPBosNoC+M6Ll+cAuDaM:0jOtFVCKHzqFP+C7gLrfDa
                                                                                                                                                                                MD5:7B2AAEF4135DF0FD137DF1F152DE1708
                                                                                                                                                                                SHA1:B370B87DC4C39A4D8968EE998CE35DAAFC5359C2
                                                                                                                                                                                SHA-256:00B31446AD5F7038F253B64A60753D07FF082923C108752D565717947F1A38BA
                                                                                                                                                                                SHA-512:B2C4944E5F5D9A8B7CA9B86ACA049230737804F2F75E4B0EB83712D26B9FCBA031CA25FFFD10ADCB688902996443669D393B0C5DDFB1B88AE27CED464CEDC79C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......AV2..7\..7\..7\..O..7\..O..7\..O..7\..7]..7\..O..7\..O..7\..O..7\..O..7\.Rich.7\.........................PE..L...o.|\...........!.....\...Z.......d.......p............................................@............................d...L...d...............................|...`r..............................(...@............p..@............................text....[.......\.................. ..`.rdata..4 ...p..."...`..............@..@.data...x*.......(..................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\_ssl.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1415680
                                                                                                                                                                                Entropy (8bit):6.846106153505868
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:wDhK/yvb6r8IbUZQH8IKwjHWyZrLGW7Cp7no6gV+7GRI+KpPA6p4AR6pvAqJ4jzp:Zqv0og8I0w7KnIGZhspvAHjzQCJJ
                                                                                                                                                                                MD5:B64A8677AD7FDA3EF730FFC4533FD1F8
                                                                                                                                                                                SHA1:521FBDDBF5317C9EEE221F072FC5564CEEF1F8C6
                                                                                                                                                                                SHA-256:4EDD88905E478AAC34ADABC783A2F695644528F1D8E2426B1F4FA0BCFAB03682
                                                                                                                                                                                SHA-512:2EB6561D626E04EFD39155B861D4A5EB71161503B579634004EA163DDB2C81FE2FFA32452C8B9DACF28FC50AA2BCCD421575B28D121B05B2668F0257F98F6129
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................0......&......!..................6......,.:....7......4....Rich...................PE..L.....|\...........!......................................................................@.............................D...........................................................................h...@............................................text...w........................... ..`.rdata..............................@..@.data........ ......................@....reloc..6...........................@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\_tkinter.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):40960
                                                                                                                                                                                Entropy (8bit):6.335002644682424
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:/OWNT81C/gnCUUlUuaFVfmHZrGKcEICDyF3nNCeNXzEmSAEPY:/OWT81C/NtUu6VuZrGKcjCDyF3wIXzP6
                                                                                                                                                                                MD5:C61B4E27FC5FF25A9DFC2D10B79524D5
                                                                                                                                                                                SHA1:38D2BE95DDB389D7BC1F2D9E8C98D2C56D0660B7
                                                                                                                                                                                SHA-256:60CFE57C07C778C527C3B7522BEA9AAE7904868F440BD3F283AF831A0CBA4059
                                                                                                                                                                                SHA-512:047B1669D1ED54C3FE8EB03651DC592AF25458C3F424C24C2093F61F0E009DDCCADB9BAE0682E7184D23D5D06623256413577E80A1FE2B937EF7560367AE9F86
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].Y.<...<...<...D}..<...Dk..<...Dl..<...D{..<...<...<...Da..<...Dz..<...Dy..<..Rich.<..................PE..L.....|\...........!.....d...<.......m....................................................@.............................L...l...x...............................4...0...............................`...@............................................text....c.......d.................. ..`.rdata... ......."...h..............@..@.data...4...........................@....reloc..P...........................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\_win32sysloader.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):8192
                                                                                                                                                                                Entropy (8bit):4.992693298555373
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:t2VnGV7o5QUEZWm6Uk3fvf3X7THIL3YO+8I:tVU5QUEz6hfLTH98
                                                                                                                                                                                MD5:B4A567D80CCC08FB1C7FBB765847AFDA
                                                                                                                                                                                SHA1:B7FF2C68BA2887AAF5D029F41922E626C72B716D
                                                                                                                                                                                SHA-256:DBB0F9C499A710BBC8BCDE4ECC3577A6C9548262D6CE4434ED5A0708CBC787DD
                                                                                                                                                                                SHA-512:DDFEC25304BABE2DF55958F512F61AFD9AF88DDA499FE87931D17A9EEBF048449885A06A24BDDBC8604E11F07CED3C2ECE7F89C28290CAB5D1BF3816D22128DB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M.oC.............J.............................../........................Rich............PE..L......[...........!......................... ....;..........................`......................................P&..Z...\"..P....@..l....................P....... ..............................8!..@............ ...............................text...`........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...l....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\bz2.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):71168
                                                                                                                                                                                Entropy (8bit):6.739740223463112
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:Ixfp8+QhToyh3Y1rr24S1uBXTTva+X+E8S+fkPPYnLr:IZLuYlq4SuXTTva+X+XZfWC
                                                                                                                                                                                MD5:80558AB30129A2874B8776F4DD96AD7C
                                                                                                                                                                                SHA1:882E921AA68E196386397BE132B91CDEF23C5BF8
                                                                                                                                                                                SHA-256:CA19AF8B73E72DF5581CFF77085BB5885985C91ADA16B5A94DD50C827DD51093
                                                                                                                                                                                SHA-512:81ED07736ABC760D0ECC8EF9506B789F9DAD961A0969744FFF1120E3A294275C25FE9F215CCEFC7DD476017FEBAF117493141CCBB472E2FF4B24F32B44A0DA00
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.S.9.=K9.=K9.=K..K:.=K0..K:.=K0..K7.=K0..K;.=K0..K>.=K9.<KS.=K0..K1.=K0..K8.=K0..K8.=KRich9.=K................PE..L...(.|\...........!.........P...............................................@............@.............................B...L...P............................0......................................H...@............................................text............................... ..`.rdata.."...........................@..@.data...P'.......$..................@....reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._constant_time.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):7168
                                                                                                                                                                                Entropy (8bit):5.27929914348816
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:KofhVv08JgMFMeiyiX6+LBDtM7C26V+ffx3XAypVAAD6GNfuO:KoJyAgMFMelu3lDimHVsJ3XvVlD6Wu
                                                                                                                                                                                MD5:1FCCC08819AC663D36E1C567E34E8451
                                                                                                                                                                                SHA1:9218D2A68454828E1FE5F06FAF3A14139BD3F494
                                                                                                                                                                                SHA-256:7318B66E5EA1348E6875B1E0217E450E22C3FB9C96739D746BE19C01BE69073D
                                                                                                                                                                                SHA-512:E744708102CC6BB57DD65E28FA29471C75784DBBB64B1D29FF06EF4AE1D1B84D62ABC3DA9BEC6645F079B4900EE95981755D3E2B9CDF1BB005C589877478A7C9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6X{.r9..r9..r9..{A..q9..{A..p9..{A..u9..r9..Z9..{A..}9..{A..s9..{A..s9..Richr9..................PE..L...go.\...........!................W........ ...............................P............@......................... &..X....!..P............................@..l................................... !..@............ ...............................text............................... ..`.rdata..x.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._openssl.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2258432
                                                                                                                                                                                Entropy (8bit):6.9649853247217965
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:aQ1T1qcIUId7CdI+F3EAiXgREMRCfFxwpd6DFI/YNKaA:2cILd+G+/iXg9gfFx66DF
                                                                                                                                                                                MD5:1F30B7CC98DFCFE314C570D1FE8A0B1A
                                                                                                                                                                                SHA1:9AD798C634679150FF14995C1DEEB658CC9ABF53
                                                                                                                                                                                SHA-256:0B602CCA491F17F3D55CC1B760BB1EBE48D96E4CA68CB6769C46960ADD08B67C
                                                                                                                                                                                SHA-512:F6CD07C59DF110C95FF699DBC3EF0C1AD14A7EDFA64B5534228BC0587898CF7866D9EBBA0C5DC2759E187F90B50CDFA706F633A2E32F1D460C652CB7A84A560D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........).).H@z.H@z.H@z.0.z.H@z.0.z.H@z.0.z.H@z.HAz.H@z.H@z.H@z.>.z.J@z.0.z.H@z.0.z.H@z.0.z.H@zRich.H@z........................PE..L...go.\...........!.....<...V.......A.......P................................"...........@.........................`...L....................................@!..Y......................................@............P...............................text....;.......<.................. ..`.rdata.......P.......@..............@..@.data....[.......<..................@....reloc...u...@!..v....!.............@..B........................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\cryptography.hazmat.bindings._padding.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):7680
                                                                                                                                                                                Entropy (8bit):5.494741496784773
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:Kov1wlvo+uJbeG3HuuxstxsNJ3XvVlD6:Kov1wNo+FGXFx0xU1fVl
                                                                                                                                                                                MD5:7DB9C7461C4F2F5883F86AF789F81413
                                                                                                                                                                                SHA1:E71B8A9266A82C28219AE2AB6EB2144AD1731FB6
                                                                                                                                                                                SHA-256:11E625062ADD39E8EA1386FD28965CD4F2E52FCB6825F7BD1607DB576A09F7CA
                                                                                                                                                                                SHA-512:0421952AD1365486147E9232FB966B62D2551D098568579BD103A9DF4A7C0A04AD2C889E6C7E9D6318A7A7215A08AF89449EA645373F07EC9041865F82D49BA4
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6X{.r9..r9..r9..{A..q9..{A..p9..{A..u9..r9..Z9..{A..}9..{A..s9..{A..s9..Richr9..................PE..L...go.\...........!................G........ ...............................P............@.........................0&..L....!..P............................@......................................0!..@............ ...............................text............................... ..`.rdata..|.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\library.zip
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2623728
                                                                                                                                                                                Entropy (8bit):7.989708508062485
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:B4Ch0hPVz6WXcdOL3CfQqyotIAjEuZ/AQFOU8cpLYIxIu0sGW+dAb7RFec:Bvols1IAjEy/AQFOwpjMW+dAb7Cc
                                                                                                                                                                                MD5:DF9A3BAEB7B688DE8037FF9CE7E8F7CC
                                                                                                                                                                                SHA1:571132E00F20EB888161AC37654CFE4A9FE9D4F0
                                                                                                                                                                                SHA-256:2D8CA76D3A03E68AC4313D45B78C73BD9BFF5BFBA25E19687F439E8BED0B0883
                                                                                                                                                                                SHA-512:1EE9D558C56E8BACBDF7CF37044F1CFD1EBEFBE41375069EDE0BB1025A966834F72B505CD855E8C7FAE8A7CD7C80FCAE235784019D4EF9AB0DA1357B58F1321C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: PK........(.%O.x.....W.......BUILD_CONSTANTS.pycc...e+R......@..$.......(F....(&..F.(f..&.(...f.(V.l..+PY1..HO..M...M.K./f.......K.....%..I.E...:.F.....fV..V......4..J@.......N..>......A...!%\p1......87....1.5>8$....Io...kp..o@...z.. gW...(..D....~@.~!.z..%.@a.....T;P......!..PK.........<NJ.Z.^Y....9......BaseHTTPServer.pyc.;Yp..uof....@..@H.8.D.T.......$..)J.4.M...5....`vf93Kp....r9UI%.-[.-.v.;.8q.;...U.JU\..O*..s})..]..K\2..w.y..>.....{.}.b...a.}..... ..0.@..a..9.y..l.r..r....<.. ..V....*.R.,Y.k.?5.%.V.!.A.@.."..\....S..2\....u..,.....Q.%X..Q.W..-.....q.#z#..yai......1.ul.....al.W... w...U...An.q.L..f&.....<..1.fq.....8...G.DR.+/wd.>."...>.;3c.t.&u?He....6.n.yi.Y....7.(...Xy..d.EA.4..Y.2tb..H.....7.'.,.N.4.O..q.c...D..S...sz.r$..5..a$6...us-...;C.>Q...2I..|.[[../.\7A^m.^.~.>af'...=~.S...I.h"..s...P.~..G..3.......fs..@..Hl..0S..gR..`2D..j....$O. U.'U.....jJ.c...j.nB.>..${..'....(|.W.?x)./..+!.......^.D...h6...L..#...)L$...k..r..w....5C....B..b..M..f.Ed.
                                                                                                                                                                                C:\Users\user\Desktop\lib\mfc90.dll
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1156600
                                                                                                                                                                                Entropy (8bit):6.52546095742681
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:HMh/PZa3TrShmbjRbf/zxUK4BpifCqY5TcB2sQL+XmDOl:HMh/PZa3HTjtFUKwhqY5TcyL+XmE
                                                                                                                                                                                MD5:462DDCC5EB88F34AED991416F8E354B2
                                                                                                                                                                                SHA1:6F4DBB36A8E7E594E12A2A9ED4B71AF0FAA762C1
                                                                                                                                                                                SHA-256:287BD98054C5D2C4126298EE50A2633EDC745BC76A1CE04E980F3ECC577CE943
                                                                                                                                                                                SHA-512:35D21E545CE6436F5E70851E0665193BB1C696F61161145C92025A090D09E08F28272CBF1E271FF62FF31862544025290E22B15A7ACDE1AEA655560300EFE1EC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C.R."..."..."......"......."......"...p^.."..\m[.."...pX.."...pN.."...pI.."......"..."...!...pG.>"...p_.."...pY.."...p\.."..Rich."..................PE..L....`1G...........!.....T...N......C+.......p....^x................................g.....@..............................f......x.......x................#.......... ..................................@...............@...........................text....R.......T.................. ..`.data....j...p...H...X..............@....rsrc...x...........................@..@.reloc...1.......2...P..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\pyexpat.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):143360
                                                                                                                                                                                Entropy (8bit):6.61873865412512
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:Jtm+8Lr63In5y7+/Lt2NVFU/6NJ6VMqU:JtXxY5ybbUiNQVMq
                                                                                                                                                                                MD5:E7D033F40F44D497D6DDC5CC020CA40B
                                                                                                                                                                                SHA1:9CE1CAC6607C5E1DE58AD30B75BDB5B902BB24F1
                                                                                                                                                                                SHA-256:3285C94AE4C801147F564E92F1DD8DC00D630E041F80B33DD37300CE597004A6
                                                                                                                                                                                SHA-512:7BC1CE6C6F3B4B4A0D75A91EC15BF1C790EDFF2389DBC35EEC49A0F058B7FD2BFCCEB4AA088482C88B2DE0591996647C2D682B007B64524A549A6C9A2528FB08
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{..M...M...M...Dby.O...Dbo.C...Dbh.O...Db..J...M...$...Dbe.H...Db~.L...Db}.L...RichM...................PE..L.....|\...........!.........r...............................................`............@.............................J.......P............................@..........................................@............................................text............................... ..`.rdata...B.......D..................@..@.data...x.... ......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\python27.dll
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2649600
                                                                                                                                                                                Entropy (8bit):6.722420193769921
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:Mq1WL6TfbVYU9U/EaP/iv4CMbxndsBbWA8LEkt34PMnhMmQHNZlhId1Tfcd+yW3d:1WL6UPI4CMbxdeZAhXhMnHXledIpm
                                                                                                                                                                                MD5:2FEB5AD28FAE3DE286803C6CCC6491C0
                                                                                                                                                                                SHA1:C1A2CEEAF37778BBE0A187E8B6CC12E488224028
                                                                                                                                                                                SHA-256:E2460663CB2E97DD61AFB42E0310C026B8417D6C2C135F54D2DA90696BEA6FA4
                                                                                                                                                                                SHA-512:37D2FB967742A1207DFE763C276B7A1AE515F50A4D9D01A83951FF69D87FD33ED1CDBAB978AE8D3D7499CE7D0C3E756DC53711EA66E7B6E06758BCC511664B25
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Bu....{...{...{..[...{..l...{..l....{..l....{..l...{...z.<.{..l..{..l...{..l...{..l...{.Rich..{.................PE..L.....|\...........!.........................................................).....V.(...@..........................g!..|...P!.x....@(......................P(.P\.. ................................O!.@............................................text...z........................... ..`.rdata...D.......F..................@..@.data...0C....!..(....!.............@....rsrc........@(.......&.............@..@.reloc...f...P(..h....'.............@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\pythoncom27.dll
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):397824
                                                                                                                                                                                Entropy (8bit):6.646881960817534
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:Q2yUi0rjBcPEFlmKP/eHHn0T6euClw965SOKLbpd675XL0Kk:jyUi0rjByE/mKP/e0cCmpdYQ
                                                                                                                                                                                MD5:01C89FB05232C8310F6A8B4975297963
                                                                                                                                                                                SHA1:E03D1C9DF87E0E6F98F16AAE5EBD9FA51D696E35
                                                                                                                                                                                SHA-256:DBEC592DA6DD2A4D653DEF499E22865246F1F6441172FADF1A15DB498F11781A
                                                                                                                                                                                SHA-512:C5DF838814F4747F3BA192E39265FADF83295762D3A1F5CF37FCAD22C88B0157297A5BD3B5667C394D534F22CA1B680780FF1BE12C443D2265DFC674CCDC4B42
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A. .. .. ...o.. ..r.. ..r.. ..w.D. ..r.. ..w.A. .. ...!..r... ..r.. ..r.. ..Rich. ..........................PE..L.....[...........!.................h............ .................................................................p...>^........... ..\....................0..dq..................................p...@...............\............................text....~.......................... ..`.rdata..............................@..@.data........p...:...`..............@....rsrc...\.... ......................@..@.reloc..xr...0...t..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\pywintypes27.dll
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):110592
                                                                                                                                                                                Entropy (8bit):6.569529056002426
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:q5z1B1kNtTUo+cJt9du4EnVn++M4Psj0I4Y7bi0Of4fuFsNOK1uMN/c:qN1BCtTUoPJt9du4EnVdaN4Y7bi0a4fb
                                                                                                                                                                                MD5:1EC8D89E992D8F04CB0042E2122CA95C
                                                                                                                                                                                SHA1:E26C4B2E038D85CC979B1278E918619F95AD3613
                                                                                                                                                                                SHA-256:25B66CEFD9A6C8B401C10451668516ADC5F11EAB9246A19780F59554F12F43C5
                                                                                                                                                                                SHA-512:8A52FC4AA73BA2B7E05A8404A9A7C8892829074540374D5C5C6AEE3776AB1D2D52CAB92FD8FE7572D68D3ACD3899EA4FD2504E60F412BBB85A6FCEA915DA1821
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qz.Y5...5...5....Tz.7...+Iy.6...+Io.8.....".4...+I..1.....'.>...5.......+Ih.$...+I~.4...+I}.4...Rich5...................PE..L...:..[...........!................F.............z..................................................................D..PJ..T/..........d............................................................*..@............................................text...2........................... ..`.rdata.............................@..@.data... ............~..............@....rsrc...d...........................@..@.reloc..d...........................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\select.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):10240
                                                                                                                                                                                Entropy (8bit):5.840237019743671
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:qkjXJRZobEm7QNw7MPDdqPSU+n6ErXUnv3XDVR6yAXc1U5O:quXJnjCAPDdFB6GXoPzV5yu1
                                                                                                                                                                                MD5:18EAD4BF3A21899F4C94DB60BA39DA41
                                                                                                                                                                                SHA1:EE856211F3CD00F29C1287C2DC129503FF78667B
                                                                                                                                                                                SHA-256:FB739F595B0C51F0BEDE73709FEB997BBCD15E7C5BEDF4A1B1D97856BE602C40
                                                                                                                                                                                SHA-512:C8D49E1057351D499348EF8264228E0FD236CA2B7FEF975700F309C0F7FDD00B57FC9F796D27A5D236D872236F59A7CE38A16E2140E2CF58712C81515DE52D24
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i)...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...z...zRich...z........PE..L.....|\...........!.........................0...............................`............@..........................8..H....3..d............................P.......1...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@....... ..............@....reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\tcl85.dll
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):893952
                                                                                                                                                                                Entropy (8bit):6.723578756054998
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:9lqB5tUnPkmxmR0mYjlkPJHNCHtClUNF4j6so:FKTmtqUT429
                                                                                                                                                                                MD5:38501170F62D48F4B67C0F7AFCBFBC55
                                                                                                                                                                                SHA1:A0EF4A5D984EB36984B774D3578DBD303C84E4F6
                                                                                                                                                                                SHA-256:D041F89538E45111385C820DA2E5856CEA5B1D125D61AD0950F20EBEA5CE4271
                                                                                                                                                                                SHA-512:24E8C6079B9B8D40569F9DB706247C5C08643EF9A596D3677834B2F59F60861133FF8B0A578002CE8D8FA16FCEA2BA457394CB34CD319463349CA90B01484A91
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3f.!w..rw..rw..r.Hirr..r~.jr{..r~.|ry..r~.{ru..r~.lr|..rw..rn..r~.vr...r~.mrv..r~.krv..r~.nrv..rRichw..r........................PE..L....9.X...........!................a........0......................................(....................................X..L...x....@.......................P..h.......................................@............0..l............................text...0........................... ..`.rdata.......0......................@..@.data...t:..........................@....rsrc........@......................@..@.reloc......P......................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\tk85.dll
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1330688
                                                                                                                                                                                Entropy (8bit):6.294231023599021
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:UCgNcIR8ata36h5qrZs3oUQ+OYjslR526siGlVqyWav6e5qRo:1a8+OG3MdYjsrGiEJv6e5A
                                                                                                                                                                                MD5:85FAEA8F35F46C978182D59D93E75AF8
                                                                                                                                                                                SHA1:D19427DBB8BC9786B0EEFBBE97E43D75DCF2A92E
                                                                                                                                                                                SHA-256:1E8E4ACE15687DB65D39CE2F96FEE42CF476300C2CCBDF70CF25511764481511
                                                                                                                                                                                SHA-512:8BDEBBE29A73EC5A57A6D1E57B72CCFAA8F57C7C28F818A069763405194E693FAEE091A165380C4D1E4D1C5272BDB7D6E3268CB980F5F08A624C08BB989359CF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.{...{...{....w..{....f..{....a..{....q..{...{...z....k.J{....p..{....v..{....s..{..Rich.{..........................PE..L....9.X...........!.....R.........._........p....".................................}...............................@....=..<........ ..X...........................................................0...@............p...............................text... P.......R.................. ..`.rdata.. ....p.......V..............@..@.data........`.......@..............@....rsrc...X.... ......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\unicodedata.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):687104
                                                                                                                                                                                Entropy (8bit):5.428862749040877
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:Gm313AxoMPBt8FpQsVdFiI5mZMPXubUxktwd:93NxM8XQsVdXSPAxLd
                                                                                                                                                                                MD5:4133485C1E728925502BCAB21FB8A3C7
                                                                                                                                                                                SHA1:F5B8820983B3492160774C389D51A96DA1ED43C9
                                                                                                                                                                                SHA-256:F7D9825B06F3B2D758CBF1C664A49D8602721CF43C399030A3DCB9B35F18023A
                                                                                                                                                                                SHA-512:E0C8F575239C3D1037D83B920EF0F6223705C1DF8209AF319B8B48FFEF6B8CF4C6EA257F257BBEEE7ED10C709C0BA0FD65C2B6A6F3E9EE2A3593CA197C32E667
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{H..?).?).?).6QE.=).6QS.1).6QT.=).6QC.8).?)..).6QY.>).6QB.>).6QA.>).Rich?).................PE..L.....|\...........!.....(...R.......0.......@............................................@.........................pX..R...LR..P................................... A..............................@Q..@............@...............................text... &.......(.................. ..`.rdata.......@.......,..............@..@.data....+...`...*...F..............@....reloc..,............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32api.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):100864
                                                                                                                                                                                Entropy (8bit):6.549863186996596
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:h26TuD7jMOxYNlF7Zho6gltO/wHChTZVhV3LHhBNIxJ2cUClM2petWcQixWPhYo:M6TuvzxYNlFno6gltO0ChFVhVxcUGMRq
                                                                                                                                                                                MD5:F4612401995A7C88C278716BF9440B44
                                                                                                                                                                                SHA1:33AF801B819AC279831836AD9CC706BA4EBAD186
                                                                                                                                                                                SHA-256:196115722D774A84C84FA51CC1F1BDFFABEEE3CD1C6C1E33822D88FE4D4BEA37
                                                                                                                                                                                SHA-512:60D1FF88017C5B7279AEF894A0F56DC8D6C20BCA1C96CDAF1A1BA2DC953A62D52CCF0084D4FE62B88FCA530361343725FFD61FBEFA7052F8D92BC4563B7A7DAF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[-..L...L...L.......L.......L.......L...J..L...L..UM.......L.......L.......L..Rich.L..................PE..L......[...........!.................................................................................................g..~....B..........T.......................$...`................................@..@...............D....B..@....................text...*........................... ..`.rdata..^x.......z..................@..@.data........p.......V..............@....rsrc...T............f..............@..@.reloc..~........ ...j..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32clipboard.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):17920
                                                                                                                                                                                Entropy (8bit):5.949191048195201
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:M/CMeEb7B+tf8l18c2ztCDHRA6FCYWhHBq1AzR:MqMeEf0KbOztWFsY71AN
                                                                                                                                                                                MD5:6F205CD1FCF63B55DE0C0385AAD30DE4
                                                                                                                                                                                SHA1:EA6639A5A63335C14140F7F3AD05DFE6C39214F6
                                                                                                                                                                                SHA-256:3EDE96D8ABA0497214C13076725325C8BE3EAE9D23D9AFC46480E71AD9202E98
                                                                                                                                                                                SHA-512:A3096A7302043912197C034036888CCD7C2B5039CBFE4A2AF7C144CDE14A9876E4C5E48FEABD09985FD6E6D56DB10B520DFED0D5278822A86C719E8307BE7CF6
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V...V...V...H.i.W...H...[...H.o.P....L7._...V...6...H.x.U...H.n.W...H.m.W...RichV...................PE..L...W..[...........!.........$......V&.......0.......................................................................F..X...l;.......`..l....................p.......1..............................H:..@............0...............................text............................... ..`.rdata.......0......."..............@..@.data........P.......:..............@....rsrc...l....`.......<..............@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.adsi.adsi.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):66048
                                                                                                                                                                                Entropy (8bit):6.576893512901747
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:DngCnoIYhMxSelp32DJK/wU3E9+c2rCQqE3clDkGEmieVMOKju8/9jOm:DgtIYhMxSelp3uJK/wU3E9+/rCQqE3cG
                                                                                                                                                                                MD5:8752E925AC1A1F0D6EE4C3E87471DA13
                                                                                                                                                                                SHA1:71848FFFFB504325BF3806286FE06E0F2275091C
                                                                                                                                                                                SHA-256:52D65D44DDDA1EFCED3E587E350E30E9005653011661365A527639656F1A9EA7
                                                                                                                                                                                SHA-512:5FC6F2B9D64CBAD1DC240A11AE3263E9B6EB975010C88B7F4B59434DBCF7F30BFF3C70C18718557882AB8B045C5EC06707AD246E4584B7475172AE3742A80BA2
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.*l#.D?#.D?#.D?...?".D?=..?".D?=..?..D?.(.? .D?=..?+.D?.(.?".D?.(.?*.D?#.E?..D?=..?-.D?=..?".D?=..?".D?Rich#.D?........PE..L.....[...........!.....z...........~............A..........................@..........................................D...L........ ..D....................0..........................................@...............4............................text....x.......z.................. ..`.rdata..Db.......d...~..............@..@.data...$...........................@....rsrc...D.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.authorization.authorization.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):18432
                                                                                                                                                                                Entropy (8bit):5.985911260442151
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:5ddckmjgMBV5Etkyp15mpJrHsv7OttH2qa1Bp:izsJnpDmpJwv7Otwqa1Bp
                                                                                                                                                                                MD5:1D74299D05441FC37C76230F99184A78
                                                                                                                                                                                SHA1:863EBE4314BC2C7BF5F95720832BC2325953C56C
                                                                                                                                                                                SHA-256:5C53CDB2AF5E9BE44ACAE8FE900924C238051A02BED7B07C7B931BFECD69FD31
                                                                                                                                                                                SHA-512:5E1F99E9B424EF484999CDC4DCEDC260D3FF76423BF6F390F2F137959CA7873978459A9C6325AEB6E2DF41328FFBD527FF36A2F68EDEFFB99FCC2FC23FABC314
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.B_..._..._....S..^...AN..^...AN..R...AN..W.....S.X..._.......AN..Y...AN..^...AN..^...Rich_...........PE..L......[...........!.........&......\&.......0....D.................................................................PI..V...L;.......`..d....................p..@....1..............................P5..@............0...............................text............................... ..`.rdata.......0......."..............@..@.data........P.......<..............@....rsrc...d....`.......>..............@..@.reloc..R....p.......B..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.axcontrol.axcontrol.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):106496
                                                                                                                                                                                Entropy (8bit):6.394970076819993
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:MM9DdZYfYl0Fh1u9+8aBWZOK8H6nk6iP:b5G49+TWZOKy6E
                                                                                                                                                                                MD5:7015E33BCDB4319061D0942543397F72
                                                                                                                                                                                SHA1:910962A5FBB43BF169913748C8AA12F7AC16EFE1
                                                                                                                                                                                SHA-256:763E1154E909122DC321138ECD57345D01C65E309EFFD7EE57439787C738172B
                                                                                                                                                                                SHA-512:ADE82F21A6AD506DA0037E9D003E51986413DE40D9FE389B83A0FB8E4338E2750D812D804DE0EFA4BA4AFD53BB4E15F8943E725F611001C9694DD2F145CEFCFB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......bQ..&0.&0.&0..x.'0.8b{.$0.8bm.+0... .!0.8b}..0...%.!0.&0.0.8bj.30.8b|.'0.8b..'0.Rich&0.........PE..L.....[...........!................(.............G.................................................................pt..N....^..........T.......................,&..................................@:..@...............\............................text............................... ..`.rdata..............................@..@.data................d..............@....rsrc...T............t..............@..@.reloc..d&.......(...x..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.axdebug.axdebug.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):221184
                                                                                                                                                                                Entropy (8bit):6.444006774918823
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:GbiSzodrbpw5XR1z31LOIX2SeMYK9QgPU9P7jQu5ZbTjFhEkF0ROebsXROK37+gK:6aEIROK3J
                                                                                                                                                                                MD5:8D78D971ABF4C0A5647D99772946C023
                                                                                                                                                                                SHA1:72E4637C512290CCE7D6B38DEE5C897C156AC58B
                                                                                                                                                                                SHA-256:75DBAF2796FFF6FB0220BBA5D359F85D1297CEBE8335E6EB0157EC96C58B43F5
                                                                                                                                                                                SHA-512:598F396F79E1B883FC3791178125A9A8C018E9877735F0F8FF930B4A7B0242D54FD039D76B963A41FE66DA560AE0FBC89F4B38697549095BAECC67719A8F465D
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........YWj..Wj..Wj...%6.Vj..I85.Vj..I8#.Zj....n.Rj....k.Sj..I83.\j..Wj...j..I8$.gj..I82.Vj..I81.Vj..RichWj..........................PE..L......[...........!.........p....................J.....................................................................J............@..L....................P..|U......................................@...............0............................text............................... ..`.rdata..J...........................@..@.data....H.......&..................@....rsrc...L....@......................@..@.reloc...U...P...V..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.axscript.axscript.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):68096
                                                                                                                                                                                Entropy (8bit):6.481137076158771
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:4wNe+pA5f/qT9ok2oRp+HHOKgRjRvHgnE6Qy:4ue+pk/qTuAp+nOKgRjRvAnEj
                                                                                                                                                                                MD5:0749BE2981BAD9A1C2A37B54190A5AB1
                                                                                                                                                                                SHA1:D5A0CE363D8C18A8711A12120028828154A12A43
                                                                                                                                                                                SHA-256:DC9F0E1D51A6E4A789A0853AA791C8B0F027C16FC40BE15B530D67EDF1C273B0
                                                                                                                                                                                SHA-512:6A10FEF851367F82F1377B41AB000F8F247D9980000881E368912461374D0E2A5E9DF7CEE5ED712524000907DF56DDE4E30CDAD34CDB5D7FF27B6809232AB960
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=...SO..SO..SO|..O..SO...O..SO...O.SO.f.O.SO...O.SO.f.O.SO..ROF.SO...O.SO...O..SO...O..SORich..SO........PE..L....[...........!.....l........../r............M..........................@...........................................+..............T.................... ......p...............................0...@...............4............................text....j.......l.................. ..`.rdata...z.......|...p..............@..@.data...T...........................@....rsrc...T...........................@..@.reloc..@.... ......................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.bits.bits.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):40448
                                                                                                                                                                                Entropy (8bit):6.337078622987638
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:ZRWwG2qj4ByO21SzvbwwKUYsHc5S2vukSMVRBfbUGWAbexU/ZJIJHBxaOK3HLrSI:IJjdR7/ZJIpBxaOK7uiLmpJRW
                                                                                                                                                                                MD5:744D09BAE111803D50296E1D69240218
                                                                                                                                                                                SHA1:9EF0FA2D434DF78093647B2210346F1C5B6CC04B
                                                                                                                                                                                SHA-256:D1E2F717E7F1103B6F5D325EF8CA81DE24D6BBC77874D5440525913877841946
                                                                                                                                                                                SHA-512:47A99B67C4C7EC5F080488EDB023D659514F8C430AFE1E131D9DC2CA4592573FA5D4525F754915AC4D77C450E5FC15E31FFBB7E6EBE2BC383CA847DF9252375B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v..%..%..%~..%..%..-%..%..;%..%.tv%..%..+%..%.ts%..%..%...%.th%...%..<%..%..*%..%..)%..%Rich..%........PE..L...v..[...........!.....L...N.......R.......`....P.................................................................P...D...............D.......................4....b..............................8w..@............`...............................text....K.......L.................. ..`.rdata...2...`...4...P..............@..@.data...............................@....rsrc...D...........................@..@.reloc..T...........................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.directsound.directsound.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):57856
                                                                                                                                                                                Entropy (8bit):6.629857858519609
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:p0uS0Zw7YB7/YOOwzzGcVhAuttaSPfRaaaOKI4sUmNARED:6uS0Zm2R7zzlV6uLzaaaOKI4sWiD
                                                                                                                                                                                MD5:B5D7255A338C57AD611B7CC2E6A2186C
                                                                                                                                                                                SHA1:D5DC5D12BE1203ADA6209B25719AE0058A212691
                                                                                                                                                                                SHA-256:E617FFC11741ACCE6E488ED71D0B967C92FE6F5C0A00465CDF41ADC531BD21F7
                                                                                                                                                                                SHA-512:4298931E3D93CFC61C03DAFBE2F6F219F644099C9806E6F3E767F8D5A36A041A3345F35B207DCB55CB51D7CA08C7DFA7800E9610D303CBC0F822D1E68FA4F85A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............G...G...G,..G...G...G...G...G...GLsSG...G...G...GLsRG...GLsVG...G...G.G...G...G...G...G...G...GRich...G........................PE..L......[...........!.....P...........S.......`....V.....................................................................R...l...........\............................a..................................@............`...............................text...KO.......P.................. ..`.rdata...n...`...p...T..............@..@.data...............................@....rsrc...\...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.ifilter.ifilter.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):19456
                                                                                                                                                                                Entropy (8bit):5.992674666793464
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:fEKRtWqRdBsL2azJJB7n8gGkY9leaOKmVHiVxMn:fEaveL7f9ZGkY9leaOKmAVxM
                                                                                                                                                                                MD5:35CA5465605D3674CA875FC52FE139F6
                                                                                                                                                                                SHA1:6AF3D79CA8267C0F34F3DF8B8100696115CB2CB2
                                                                                                                                                                                SHA-256:4C9371FBFAA2C28B78239FD928B6F9DC80A07604D9BD92B945D58BFB6CA7CE07
                                                                                                                                                                                SHA-512:C77AE812C1A738AD30DC9672013328BC3584D37029B4AF60ED722F0BE59C247108E9D5606FAE8118652F3012090004B2BF860F3050F00D4A2640574A010D1CB9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................:....................Z0K...........Z0N...............................Rich...........PE..L...y..[...........!.........2...............0...._.................................................................0V..J...,K.......p..L.......................p...p1..............................@H..@............0..X............................text............................... ..`.rdata..z&...0...(..................@..@.data...4....`.......B..............@....rsrc...L....p.......D..............@..@.reloc..~............H..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.internet.internet.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):67072
                                                                                                                                                                                Entropy (8bit):6.446610178959943
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:3ypt1URv1+BQLR7B0UySh3Tmzvm6O6MOKNwDRRr8P:3yL1URv1+BQLR7B0URh3Tmzu6O5OKNwM
                                                                                                                                                                                MD5:F3542954CF9BB20BE086F9D743759F7A
                                                                                                                                                                                SHA1:D14948E9F5E589E171D7918B2398985FF7BA0567
                                                                                                                                                                                SHA-256:82D04B2A393A5F7AF54F817160420F8755027518D526D8CEB4578CB5D7D06BA1
                                                                                                                                                                                SHA-512:20A8311A2B0B5B7AD7B0EA9757415E7622643709CC0EBC179C569749F4521B4CCD94652BC2AA8635A174088019C8724935608DB5B6C8B8ACC48D6A753F934EBB
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.e......................................8..............8......................................Rich............................PE..L......[...........!.....|........................b..........................P..........................................L...|........ ..T....................0......P...................................@............................................text....z.......|.................. ..`.rdata..\a.......b..................@..@.data...............................@....rsrc...T.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.mapi.exchange.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):105472
                                                                                                                                                                                Entropy (8bit):6.589353469217729
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:g9+Tdsf/n0NPkHV2xQFHxDcOKRhCodgz:lRy8kHRQOKRhD
                                                                                                                                                                                MD5:670F31420A7D78E063595942B87EA496
                                                                                                                                                                                SHA1:05D1F9B4A48FABF0C501F9415DEA193E1F33B21D
                                                                                                                                                                                SHA-256:2B03716E85A8A63CEBD77638F6E58800B407A5032B873B7F5C48BC8F1F788110
                                                                                                                                                                                SHA-512:0CFD5FCD396F9E7473D0C2C72EF984CEF772221687E66B2E54FED7D3A91137BBB68CB6ABB135ACC6A8FACA68A806E1410D5C2FCF503BE0E94E820D5123BC4C8C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Vp)z..G)..G)..G).^.)..G).C.)..G).C.)..G)..)..G).C.)..G)M3M)..G)..)..G)..F)..G).C.)..G).C.)..G).C.)..G)Rich..G)........PE..L......[...........!.........................0....Y.....................................................................L....p..........T.......................`...03...............................................0...............................text............................... ..`.rdata...U...0...V..................@..@.data...$............r..............@....rsrc...T...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.mapi.exchdapi.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):65024
                                                                                                                                                                                Entropy (8bit):6.532830752364937
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:bXN99JcSm0MPMwZobCxMvV6RZiRgHz610dMk2EDrm4jAw8:bHPwZobCxMvxRgHz610dMk2EDrm4jAw
                                                                                                                                                                                MD5:C63F38B638B858CCE73C42CD4002FDF0
                                                                                                                                                                                SHA1:2CEEEE5DACAFAE90165BAD7392BD107CD56A861E
                                                                                                                                                                                SHA-256:8A7A8F044F59CE4FE023E1841C406B00BEDCEE7BF82E533B64EDC324536770A3
                                                                                                                                                                                SHA-512:1A2A222B541B899A362971FA54ED46EB3EFCAEC71ED5380CF6F8A718BADFFC527CE6EA2411597BCF39A091222FF30A3DA535C9F84B627A1DFE39F72BDDDC6088
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................4.Z.....Y.....O....T+......_...........T+.............H.....^.....]....Rich............PE..L..."..[...........!.........h......h.............\..........................@...................................... ...L...L...........T.................... .......................................................................................text............................... ..`.rdata..l*.......,..................@..@.data....+.......$..................@....rsrc...T...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.mapi.mapi.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):129024
                                                                                                                                                                                Entropy (8bit):6.660769030473044
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:0uc4wnNH6+s91tQ9Mfni3zyYtIx9q5RaXAA+C53pOPmJ69Ks0XE7MOKdb1D9:240NHfsDt/szx510XzOKdb1D9
                                                                                                                                                                                MD5:B4240E63F70A7499E52518A0939CDB73
                                                                                                                                                                                SHA1:36F2576B609ECD0FE7C71E4320793CD688FA2777
                                                                                                                                                                                SHA-256:151851F44BC9E5D93396729EDBF89CFDD81E42CBFB6F182D56233840BC2425A8
                                                                                                                                                                                SHA-512:71E82DBF52E0087D7B558DCCCEC4F2B31C2B4CB2DA6A3ED77AE59DA431626AEAE110CC29ADDD98CC30C7A0A326205EA6168AEBE6890DC0F90D76311A032E970F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`.A.$u/.$u/.$u/.:..%u/.:'..&u/.:'..)u/.....'u/.:'..,u/.....#u/.$u..u/.:'..8u/.:'..%u/.:'..%u/.Rich$u/.........................PE..L......[...........!................F0.......@....e..........................@......................................`...D...|...........D........................(...C..................................@............@...............................text....-.......................... ..`.rdata.......@.......2..............@..@.data...\#..........................@....rsrc...D...........................@..@.reloc.. ).......*..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.propsys.propsys.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):114688
                                                                                                                                                                                Entropy (8bit):7.027208191219806
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:YU23v3vOw3T7DP6ErRcOli7hZd/XhxeeDOK9eW67q:DBDEdChuGOK9ei
                                                                                                                                                                                MD5:41B7E08CA7D5627215710DA1631ACE1F
                                                                                                                                                                                SHA1:8D19C1775ADCD43A6B8C7BE0C9790CEC52CF6DA3
                                                                                                                                                                                SHA-256:9BAF0FDF0B4954744B04BADC904B537AA686E5585EE5A5BE3039DB5DCA6FEB6F
                                                                                                                                                                                SHA-512:273AEA758AD34163D2E8DBC1E651703D6FB54FEE87841F59DBB1A32E83834A4D5D16A3B331EF7BFFF5365EAB7B02F2A055702C0C6D6E13B7E4D02D319E2FFABF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........QZ..04..04..04.^....04..b...04..b...04.>....04..b...04.>....04..05.A04..b...04..b...04..b...04.Rich.04.................PE..L...h..[...........!..............................t...................................................................................L............................................................n..@...................L...@....................text...{........................... ..`.rdata..............................@..@.data...............................@....rsrc...L...........................@..@.reloc..6...........................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.shell.shell.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):397824
                                                                                                                                                                                Entropy (8bit):6.6891165308835685
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:WVA+HF3iM6Cm1ZxIWGw6afgohD0GOKOCZSw:Y6r7GgfP
                                                                                                                                                                                MD5:2DC81AA0F7570C3FE64A9134DC805316
                                                                                                                                                                                SHA1:31A13BD400BE616E36D07AA9182D022FD2F5C96C
                                                                                                                                                                                SHA-256:1D9BF44C1C1B094D5AB16D9A414893C5A0C17369CC428402F00193378B804AAC
                                                                                                                                                                                SHA-512:B5A63A1248BC62E8851864D09D9E3A62EABE1A0446FF0E868C840E09C5352A5F46BE78136D8C8927F4DBBDD843445A3411E8325690644CADE49551097F646C85
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.VXQ..XQ..XQ....>.YQ..F.=.ZQ..F.+.UQ....f.PQ..F.;.PQ....x.YQ....c.QQ..XQ...Q..F.,..Q..F.:.YQ..F.9.YQ..RichXQ..........PE..L...Z..[...........!.....T...........;.......p.......................................................................`..F....>..........D....................... ....t..................................@............p...............................text...{S.......T.................. ..`.rdata.......p.......X..............@..@.data....l...p...8...J..............@....rsrc...D...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32com.taskscheduler.taskscheduler.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):34816
                                                                                                                                                                                Entropy (8bit):6.181356584920318
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:HEwv/5WTtxcPWOAarngcdldTNFU6WcYRhIzrxLOTN8Rv/caOKWHNcIAu3X1AkGP:HEOuxPUrg05pWIvROBe/caOKCcIA4XG
                                                                                                                                                                                MD5:6A1DB58C59EC75961DC1BFD992241734
                                                                                                                                                                                SHA1:F3CCEF8844A38E96B499F66938E8E84C63F29EE3
                                                                                                                                                                                SHA-256:A4993A7C388FAEF46D41310ED71D55A59718C82088E53231A8D292775F8B5125
                                                                                                                                                                                SHA-512:4E458BC79918D616B02E2F938F9A4460396BA1DA7CB7B2A61AE71986F6F74776AB731421B71FEA812066F0B6B45803E8C5EFA75C1102CF055A5C424591A4B226
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..;..;..;..]f.:..%@e.:..%@s.6..%@c.3....;.>..;..l....!.:..%@t.1..%@b.:..%@a.:..Rich;..........................PE..L...n..[...........!.....>...F.......E.......P.......................................................................z..j....o..........d............................Q...............................j..@............P..t............................text....<.......>.................. ..`.rdata..J,...P.......B..............@..@.data................p..............@....rsrc...d............x..............@..@.reloc..&............|..............@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32event.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):18432
                                                                                                                                                                                Entropy (8bit):6.019153964386668
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:q6ObLkEVhuSRk78FFl/ThAdbF7EpmQ+W5D+TwGgjRSHdG/tLb5yvL:KbLkEV4SBFl/ThAdbF7EpmBoD+TwGgjE
                                                                                                                                                                                MD5:4E5EC63FA2D36A5B6DBA3DC89C54FA72
                                                                                                                                                                                SHA1:E7E2E80F10877081AC7A282BD95043FA22E135CC
                                                                                                                                                                                SHA-256:E4F3FB9A1BC9997FE916381F39046031DDDF227BDFC695715AE7A991311C0C22
                                                                                                                                                                                SHA-512:517EAA56EEB83C2CAC6D4026F949D08976B395EC9F21DF027D15CEC9C97B81164EC25F6FF63445DB4265A50E891646CE00F0D8D11599944C2DEDACCEC826DABD
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k..{8..{8..{8..8..{8..8..{8..8..{8 ..8..{8..z8..{8..8..{8..8..{8..8..{8Rich..{8................PE..L...T..[...........!....."...".......+.......@.......................................................................S..P...LJ..x....p..\............................A..............................(I..@............@..`............................text....!.......".................. ..`.rdata.. ....@.......&..............@..@.data........`.......<..............@....rsrc...\....p.......>..............@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32file.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):119808
                                                                                                                                                                                Entropy (8bit):6.6168517217978575
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:45ryCm50OXB4tkoJFv26MA3YeeP73xUkz8F/9cQyoRBQlNi4w3c3YxYWTktZjrqL:kyCm50mS5v26MA3YeeP73xUkz8F/9cQS
                                                                                                                                                                                MD5:11D8DEEA5B29CC172F04BC746EDAE3BC
                                                                                                                                                                                SHA1:2825675D0ACA5BCB1C22873B042195094480842F
                                                                                                                                                                                SHA-256:4214600D7BEB51376A0DBC60C2B77F589368E5EF46CA401FE43B62F7342FDAA5
                                                                                                                                                                                SHA-512:C870F7F49FBB027E72D1A1827B99452ED6F2DDF914AC7F1505554379B6F2C815549EF570D4E834FAB0EE4F0686903359F1D8982B87768FD5189F4E15AD7805ED
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ah.-...~...~...~.[f~...~.[p~...~..8~...~.[`~...~...~...~.[w~...~.[a~...~.[b~...~Rich...~........PE..L...S..[...........!.........................0............................... ...................................... ...N..............T........................#..p4..................................@............0..@............................text............................... ..`.rdata..n....0......................@..@.data...............................@....rsrc...T...........................@..@.reloc..\$.......&..................@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32gui.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):167936
                                                                                                                                                                                Entropy (8bit):6.579158672499563
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:vR9uImXCteoQfeB/r2Cj2uPxTZ3q+eGj+yiY/1MhnGOt/DKAJyYUZT:Z9uImXCteoQfeBPPxQ+eki2WGOtr0
                                                                                                                                                                                MD5:0428364773430816DA7B3A3709115DCB
                                                                                                                                                                                SHA1:034D669425E46B6AD8A7BABE1875844A07AF9FF8
                                                                                                                                                                                SHA-256:549AB469061ED8AAEDA753A5D32167968B338F15CA4F1B04A5195DCA961DF65B
                                                                                                                                                                                SHA-512:C63E0DF34AD1E99A2E0EE98C07268351FEC1B0CDF66A8C717EE1C945DB2C4708FDEA6563D62E16F07F5F794A3E23833006B604F604EA07E24D8F8D5E541D7EE5
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`]..$<v.$<v.$<v..s..%<v.:n.'<v.:n..(<v.:n."<v....)<v.$<w..=v.:n."<v.:n.%<v.:n.%<v.Rich$<v.........................PE..L......[...........!.................p..............................................................................pO..b....$.......p..T.......................$9..P................................ ..@...............(............................text............................... ..`.rdata.............................@..@.data...d....P.......6..............@....rsrc...T....p.......R..............@..@.reloc...9.......:...V..............@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32pdh.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):25600
                                                                                                                                                                                Entropy (8bit):6.174024922458714
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:4UlSJ7oQTvsezqx7BNw1IemFm3RTt+oTiyJKu50XYtLgcFgMHot9K:46QvPzqx7BH1c9uyJL5oYpHFgZt9
                                                                                                                                                                                MD5:F51713CEF9B0D97D8647C7D4B0F577E6
                                                                                                                                                                                SHA1:83EA250DB8869EA2D3810DC0F6B9B0E0071C74BB
                                                                                                                                                                                SHA-256:92ED7BE8109820586B86E97C5EC6A7C39AAAA3A38659B98B857A478B358D66C2
                                                                                                                                                                                SHA-512:77E13094140C94B3B6B540CDB4A5A24ECBA06CCAD542498DF7B881D66595B2DE8ACBEE1BB4AD65F6799E2805464027E294F0F8961D7983977B6725E1A9BB6C1F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........EE..$+H.$+H.$+HZ..H.$+H.v.H.$+H.v.H.$+H.v.H.$+H.$*H.$+H.v.H.$+H.v.H.$+H.v.H.$+HRich.$+H........PE..L...b..[...........!.....2...........:.......P.......................................................................m..L....d..d.......T.......................p...pQ...............................a..@............P..T............................text....0.......2.................. ..`.rdata..,....P... ...6..............@..@.data...,....p.......V..............@....rsrc...T............X..............@..@.reloc..|............\..............@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32pipe.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):24064
                                                                                                                                                                                Entropy (8bit):6.134786037546586
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:aVOIiDSVujmVnO7aNfnVsDjMDcuR56tHFkHmDYPM8K9cJ:aQ/DSYiVnO7SKuRopQlK9c
                                                                                                                                                                                MD5:37D0EEF933F0813E66C96C0E0238613A
                                                                                                                                                                                SHA1:6C4922F69439E437423FCD7EDE8B5838B16F6D98
                                                                                                                                                                                SHA-256:DB682DB53334FD9C8DF2A9206DE738B26F7C5199586BE02CD917841434141E40
                                                                                                                                                                                SHA-512:7AB9FAA2620A71FB7E63A7558C56A2AEC9E41758507FA73895C1A299919351ABB1E687AD3EDA365246475B73F6CA8AE30AAD3A930C95C9D6328EB1F3D19A3372
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............N...N...N3.iN...N.7N...N.!N...N.1N...N...N...N.&N...N.0N...N.3N...NRich...N........PE..L...c..[...........!.....0...*......F8.......@.......................................................................Y..N....M..d....p..T............................A..............................HL..@............@...............................text............0.................. ..`.rdata.......@.......4..............@..@.data........`.......P..............@....rsrc...T....p.......R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32process.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):36864
                                                                                                                                                                                Entropy (8bit):6.348876403620652
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:pOe22GO+Ka1n+mK85Q/tYckwYtXnxutzjCI0EniNBHuJ4xFO7:pW2GO+Ka1n+mK8y/KiYWiI0EniNBHq4W
                                                                                                                                                                                MD5:F80982C6045A71BB289955A63C2CAB28
                                                                                                                                                                                SHA1:9B1193D5C43F55726CE6B195CA12C00E36A0A159
                                                                                                                                                                                SHA-256:A30A13AED206B0090545A509EE0A1D5470650C849F28E22B7D97CCCC0E42C3E8
                                                                                                                                                                                SHA-512:966B1C4305B50703E775D961710654DAABD08E26BAE9E4EBBA39F38450802DC6DF899B8B7EA481CDF5DA33E40B728318DE3138AEB5A87429B8C9D0DF78868B68
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................n......x......h.......0.....................i......j.....Rich............PE..L...h..[...........!.....F...F......jO.......`..........................................................................T...............d............................b..................................@............`...............................text....E.......F.................. ..`.rdata..40...`...2...J..............@..@.data...L............|..............@....rsrc...d...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32trace.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):15872
                                                                                                                                                                                Entropy (8bit):5.7121722125177605
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:dSBRJVY+svPnRYsTJWrDf0JIxRqHZHzGAuMrP/i:EBfVY+svvdTsrDfhxChuM7
                                                                                                                                                                                MD5:E80949B7C4D5F9360DCEF1064607A1AD
                                                                                                                                                                                SHA1:207C2CCBE19A5DE105B3763C6AFE17000E2605D0
                                                                                                                                                                                SHA-256:012065E37E4067AB0B35B075225F27CE546A9AEDF336405BC7CE307EB56924F2
                                                                                                                                                                                SHA-512:3BB4672CBCF7C4D2CC8C543A30232FA0A360818A4F3416A2B481E2EDB47C877B6535932103B003ACED8B960E152B9924DBBFDFA4EBA492531E5E933EB3DBCE7A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............{@..{@..{@..@..{@..@..{@..@..{@(..@..{@..z@..{@..@..{@..@..{@..@..{@Rich..{@........................PE..L...t..[...........!................P$.......0...............................p.......................................>..P...<7..x....P..\....................`......`1.............................. 6..@............0..@............................text...H........................... ..`.rdata..@....0....... ..............@..@.data........@.......0..............@....rsrc...\....P.......4..............@..@.reloc.. ....`.......8..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32ui.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):779264
                                                                                                                                                                                Entropy (8bit):6.3696779666362495
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:008SW0XOKL6+NaYrgBOrNx8pSgv7PvwRZE7AR4wYEssGtPwmS0z6Z3qLmaNPhH88:00cvQt0fz6Z37Uyln
                                                                                                                                                                                MD5:AD46B7BD0D0EAE2D23B2A381B60F8FA3
                                                                                                                                                                                SHA1:A57A5FA2982143CF357DCAE48C5BCBD48C10B988
                                                                                                                                                                                SHA-256:0848D266F6798B81910F7402E3C529C96CFCE26A2C105EAFECC85A89404FEB22
                                                                                                                                                                                SHA-512:CAADF25C800EEBA2E61D843202F111BFE028E830032862E3B87FBCB600A1A2BC9B36ACAD5E30E8A26DCFA6B451563DFA33D7355E9F73DA8C90DB1B3EE007F2BA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.4.}.Z.}.Z.}.Z....q.Z..0..|.Z.c-..~.Z.c-..q.Z.c-..t.Z.}.[..zZ.c-..J.Z.c-..|.Z.c-..|.Z.c-..|.Z.Rich}.Z.................PE..L......[...........!.....J...................`....(..........................P.......F...............................<..!M..$........0.......................P..|....w..................................@............`...............................text....H.......J.................. ..`.rdata...)...`...*...N..............@..@.data...........^...x..............@....rsrc........0......................@..@.reloc..|....P......................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\win32wnet.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):25088
                                                                                                                                                                                Entropy (8bit):6.090000439361444
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:tRZ5g+l3KQZrpJI+LXEJVIs+AYOtr5OE950262R:tRZ5g+l3KQZrpfLXEJVIs+AYOtL9502Z
                                                                                                                                                                                MD5:C62F05CF853E438A1142F4D6FC60F6EA
                                                                                                                                                                                SHA1:14B7B6BD9EECDF57D3DAF2AD88B989C330B2A2F8
                                                                                                                                                                                SHA-256:9F0E09D458393DEECA40207F5E89CF705C63B93CF759E8E4952F706ADEFC9704
                                                                                                                                                                                SHA-512:9A9E5A9C534C6D8193E167788A3E349E11576D33630FB61CB1C5905CF1727BFFCEDF631FE9C20FD5F790979B3DD99069DBEDC469D0A7340A39C8773B7B054E20
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d^._.0._.0._.0..J..^.0.AW..^.0.AW..R.0.AW..Y.0....X.0._.1.?.0.AW..X.0.AW..^.0.AW..^.0.Rich_.0.........................PE..L...w..[...........!.........0.......5.......@......................................................................@Y.. ...lN.......p..T.......................p....A...............................K..@............@...............................text...J,.......................... ..`.rdata..`....@... ...2..............@..@.data...l....`.......R..............@....rsrc...T....p.......X..............@..@.reloc..~............\..............@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\winxpgui.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):318464
                                                                                                                                                                                Entropy (8bit):6.816628763663281
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:HBKc5gO1BjloweC80BBQXuvAPQLMKXAZNLHqHi9Oo8O41:HBKc5gO1BjlowQ0BBQXuvA4LXoNW8q31
                                                                                                                                                                                MD5:D0321B1ED9E33D3DEFB14F3F4AA12ECB
                                                                                                                                                                                SHA1:02CD1ACC0739C2A79B33716701A84C6C8DB8DD8F
                                                                                                                                                                                SHA-256:2A31174C15B1A19F53161F45758C4821B380620E519FC343D4D99CC391212B8D
                                                                                                                                                                                SHA-512:C3C74F9EDA0C493DF3BC92005EBA8E5BADEB05C4207B064794975FA5B8FCE9D3BDFD85615B24442ABABE19B125ABF8D65C6D74112434D1E0C097D8082A9098AE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.=T>.nT>.nT>.nJl.nB>.nJl.n.>.nJl.nP>.n..Tn]>.nT>.n.?.nJl.ns>.nJl.nU>.nJl.nU>.nJl.nU>.nRichT>.n................PE..L......[...........!.....|...\......(................................................................................d..b...D9..................................lN..................................P*..@...............\............................text...v{.......|.................. ..`.rdata..............................@..@.data....9...p.......V..............@....rsrc...............................@..@.reloc..,O.......P..................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\lib\yara.pyd
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1240064
                                                                                                                                                                                Entropy (8bit):6.805558268113778
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:smD/F6SQ1oZg49vgpEn8wdxTCrJykukMh4k+LQBMyBMpxYa43kef:ZtVglpE8spQSS9yBMpxYkef
                                                                                                                                                                                MD5:9832A3353831EB90BD2E84CFF5553CDE
                                                                                                                                                                                SHA1:CC95073DC09CB89400A6503032649D6EA2CAEE29
                                                                                                                                                                                SHA-256:0C1F24D87A4C2B84DD0C020677285819E02B1E1A504F754F1D0748463EF938C8
                                                                                                                                                                                SHA-512:1653F9C7AD78232F9E031BC2B307020EEE45AED1FE86C1B66779BD64AF2F72BB704518EFA8AD1B7A6F59D6080D6409F9774A65764549F48F1F479863B3877F16
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........V{..8(..8(..8(..(..8(..(..8(..(..8(..(..8(..9(..8(..(v.8(..(.8(..(..8(..(..8(Rich..8(................PE..L...X..\...........!.........l...............................................@.......................................C..D....................................p......................................-..@............................................text...j........................... ..`.rdata.............................@..@.data........P......................@....reloc.......p......................@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\msvcm90.dll
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):225280
                                                                                                                                                                                Entropy (8bit):6.037671591812755
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6144:FmOMqcQXAXzwYjOWcNpJKO82NWqzf6fW3/amiX2Oym:F5XcuAXzUMqb6fW3/ami
                                                                                                                                                                                MD5:A2E9006871561A8B7C817E0E5F428817
                                                                                                                                                                                SHA1:4495C0E1B6AF43C0D8EEF876940C115D0D7B45AE
                                                                                                                                                                                SHA-256:5B44A41559DFCF7D5BC22DED1A3433F0F19E51ECCF17FDB3224BA2C617061EEE
                                                                                                                                                                                SHA-512:1894F2DE0C94EE52346F81F7ECD36BF968ABBA97EE67D7BC4AB9D172190A3B17291BB837ABF211ED5EED86276DD6FD46216FF3720008BB069D0C8695007098D2
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;...h...h...h..ah...h1.dh...h..gh...h...h...h.-.h...h...h...h..qh...h..vh...h..`h...h..fh...h..ch...hRich...h........................PE..L.....i[...........!.....:..........Z........P....?x.........................0............@......................... 3..4....&..d...............................d...P...............................H...@...............(...........p...H............text...T9.......:.................. ..`.data........P.......>..............@....rsrc................H..............@..@.reloc...#.......$...L..............@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\msvcp90.dll
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):570496
                                                                                                                                                                                Entropy (8bit):6.5259314477231305
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:BpFE340h3e34GVZQACkIPYhUgiW6QR7t5183Ooc8SHkC2eLgAfO:Bph0h3e3vgzPA83Ooc8SHkC2eLgAfO
                                                                                                                                                                                MD5:90A32D8E07F7FB3D102EAB1DA28F0723
                                                                                                                                                                                SHA1:0903911BBB5D00F68BA51895FA898B38A5453DED
                                                                                                                                                                                SHA-256:004ED24507DC7307CEC1A3732FA57EABF19E918C3E1B54561E6CC01F554C0B77
                                                                                                                                                                                SHA-512:2C69586D5C5D2B4B5DECF2BF479554C3D0FF5F5A6FBACB01B8583EA8D96D0AE9C850C30A0D43EB2AD1116BE901578D15FE08FCE3E505440C854082C208A79F1A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#%..Mv..Mv..Mv.66v..Mv...v..Mv..Lv:.Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..Mv...v..MvRich..Mv........................PE..L.....i[...........!.....4...p..............P....Hx......................................@..........................P..,....E..<...............................D3...................................%..@............................................text....2.......4.................. ..`.data...t'...P.......8..............@....rsrc................R..............@..@.reloc..HC.......D...V..............@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\msvcr100.dll
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):773968
                                                                                                                                                                                Entropy (8bit):6.901559811406837
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                                                                                                                                                MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                                                                                                                                                SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                                                                                                                                                SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                                                                                                                                                SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\otx-c2-iocs-ipv4.txt
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):299141
                                                                                                                                                                                Entropy (8bit):5.387212552393288
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:yrny6bJvXQFdCMSqLU+v+1+O+H+t+j+G+a+D+H+7+U+c+W+l+g+a+d+a+Y+k+o+Z:qpd8SqLU+PEQ0TPpvpepwpTpfU
                                                                                                                                                                                MD5:DB899FC55DFFCB1F7272D8311E8A4C83
                                                                                                                                                                                SHA1:8C171C5A8119AE8EAB73ECE5E4091A200E75CEC9
                                                                                                                                                                                SHA-256:4C7E5D223592EC36C078D29C8C0759B406D94A67CC2FF4E6625EA2345D230403
                                                                                                                                                                                SHA-512:576146DB12EB6762F1C773C96DEF2A7AC93FD284EA2425B439948F4F0314A1F71900C629389D7DFB821F599628611E910655A198FDC8C14705E711D9B51C70D6
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: 103.85.226.65;Drive-by download campaign targets Chinese websites, experiments with exploits https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experimen.185.203.116.126;AzorUlt Version 2: Atrocious Spyware infection using 3 in 1 RTF Document https://cysinfo.com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-.45.77.49.118;OSX/Coldroot RAT https://digitasecurity.com/blog/2018/02/19/coldroot/.50.63.202.38;Aveo Malware Family Targets Japanese Speaking Users http://researchcenter.paloaltonetworks.com/?p=17203.104.202.173.82;Aveo Malware Family Targets Japanese Speaking Users http://researchcenter.paloaltonetworks.com/?p=17203.107.180.36.179;Aveo Malware Family Targets Japanese Speaking Users http://researchcenter.paloaltonetworks.com/?p=17203.185.82.202.170;MTA 2016-05-10 - TUESDAY MALSPAM HUNT - CERBER, LOCKY http://malware-traffic-analysis.net/2016/05/10/index.html.69.162.104.130;MTA 2016-05-10 - TUESDAY MALSPAM HUNT - CERBER, LOCKY http://malware-traffic
                                                                                                                                                                                C:\Users\user\Desktop\otx-c2-iocs.txt
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):4406805
                                                                                                                                                                                Entropy (8bit):5.185051720745061
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:KpRHB6sl1uHaXvrVPmbGzGxmixP4Mtosl3ueeRJBkDhYR7mI5KG:G
                                                                                                                                                                                MD5:FBFD431BF049CAE5228E316E65D98D4F
                                                                                                                                                                                SHA1:4B848B149164B4A9C3BAB6512DCC56646C3A0236
                                                                                                                                                                                SHA-256:39B94814919744D090C019A744B57A494CDD1B2920DCC3FE07FB244822F9DBB1
                                                                                                                                                                                SHA-512:7882F2ED8BDAC7CB1308D244F4C35815376DF70BA234DB6C696816210B81B318B4FC9C33B49BBA030D31E2A9BD64FFC8CBA235AA189416ED0760BAF77D7BE78F
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                • Rule: APT10_Malware_Sample_Gen, Description: APT 10 / Cloud Hopper malware campaign, Source: C:\Users\user\Desktop\otx-c2-iocs.txt, Author: Florian Roth
                                                                                                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Users\user\Desktop\otx-c2-iocs.txt, Author: Joe Security
                                                                                                                                                                                Preview: safe-storage.biz;Flash Exploit, CVE-2018-4878, Spotted in The Wild as Part of Massive Malspam Campaign https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massi.www.zxcvb.pw;Oracle Server Vulnerability Exploited to Deliver Double Monero Miner Payloads https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulner.zxcvb.pw;Oracle Server Vulnerability Exploited to Deliver Double Monero Miner Payloads https://blog.trendmicro.com/trendlabs-security-intelligence/oracle-server-vulner.shiquanxian.cn;Drive-by download campaign targets Chinese websites, experiments with exploits https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experimen.ccnew.mm.my;Mirai-based Bot Turns IoT Devices into Proxy Servers https://blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-.rpnew.mm.my;Mirai-based Bot Turns IoT Devices into Proxy Servers https://blog.fortinet.com/2018/02/21/omg-mirai-based-bot-turns-iot-devices-into-.www.alkra
                                                                                                                                                                                C:\Users\user\Desktop\otx-filename-iocs.txt
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1972
                                                                                                                                                                                Entropy (8bit):5.229125835335747
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:48:PfuNsaNsb/rHYhopcyho/DiODiziqQApiqwAquJfJ9Jb:3u3IYepteuzr5tZquJfJ9Jb
                                                                                                                                                                                MD5:AF1E35C3CA64C628D3D8C0A75C0A32F8
                                                                                                                                                                                SHA1:20399EBAB81608F666EC63C2744F0EA2F38319E4
                                                                                                                                                                                SHA-256:708F1883715E084926DE9971B0D69D0A2674367F4893B57F13B6B46DBD9CA939
                                                                                                                                                                                SHA-512:3B00966CF6AD2391D71F38232861EDC08B950E4D2ACD30CA7AEB484181F6320D8F02C41F9A532DFA3464DED37D4C7DB1684F5F4F4626AE7DCAF619341AE520AE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: %AppData%\\Local\\Temp\\bootloader\.dec;RTF Exploit Installs Italian RAT: uWarrior http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-.%AppData%\\Roaming\\warriors\.dat;RTF Exploit Installs Italian RAT: uWarrior http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-.dllhost\.dat;Petya Ransomware Fast Spreading Attack https://twitter.com/JoKe_42/status/879693258183647232 / https://twitter.com/crai.C:\\WINDOWS\\tasksche\.exe;WannaCry Indicators https://ghostbin.com/paste/xgvdv / https://www.alienvault.com/blogs/labs-researc.C:\\Windows\\mssecsvc\.exe;WannaCry Indicators https://ghostbin.com/paste/xgvdv / https://www.alienvault.com/blogs/labs-researc._DECRYPT_FILE\.html;Erebus Resurfaces as Linux Ransomware http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-._DECRYPT_FILE\.txt;Erebus Resurfaces as Linux Ransomware http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-./Users/_%Use
                                                                                                                                                                                C:\Users\user\Desktop\otx-hash-iocs.txt
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):7884338
                                                                                                                                                                                Entropy (8bit):5.498775480283331
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:iTjiCZRvv5xNZfMpFBL4gwYME6QQhytApTYApuzLZVv3FrJOflPvNE1uGxl0fKMJ:c5xNZfMpFBL3v3FrJ+t
                                                                                                                                                                                MD5:3DB2AA95C5FF96EE48CA515B87ED8522
                                                                                                                                                                                SHA1:B068B2F5DB2331707182BA048CA064DEFAECAB03
                                                                                                                                                                                SHA-256:239AFBBB2E3D2B3AE04EE67D8349C51E2919942DA514AD0C216C9680B60637D0
                                                                                                                                                                                SHA-512:D937370478224EB357EF06547C3A6A00B7265B4D38BBDB09D101A2F6804B2E6069339A00E8B308BB0BB047F68908C495B028FD209745C7FB7D3FA94C231A9018
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: 176AD6129ECE312F128A3195BF5AFC130801F2E849F89BC97610C1CE8D730772;Flash Exploit, CVE-2018-4878, Spotted in The Wild as Part of Massive Malspam Campaign https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massi.6374349443708C96AD41B3F9B891B33F7DEC65FDF13E6B424D4D0AB7969C5E71;Flash Exploit, CVE-2018-4878, Spotted in The Wild as Part of Massive Malspam Campaign https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massi.6F2C41E665AAB873D213583697D70EE79AD59A2B649164C15BD63518B09C429D;Flash Exploit, CVE-2018-4878, Spotted in The Wild as Part of Massive Malspam Campaign https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massi.862C6EF1D24D2CBA9878B5E919683629C3516D9121F5CF703FF1CA42E2A06A77;Flash Exploit, CVE-2018-4878, Spotted in The Wild as Part of Massive Malspam Campaign https://blog.morphisec.com/flash-exploit-cve-2018-4878-spotted-in-the-wild-massi.EAF0F57CBCBDA0DBD2C60C5719731DDEAB76B6A10367D2679854202FDCA27388;Flash E
                                                                                                                                                                                C:\Users\user\Desktop\python27.dll
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2649600
                                                                                                                                                                                Entropy (8bit):6.722420193769921
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:49152:Mq1WL6TfbVYU9U/EaP/iv4CMbxndsBbWA8LEkt34PMnhMmQHNZlhId1Tfcd+yW3d:1WL6UPI4CMbxdeZAhXhMnHXledIpm
                                                                                                                                                                                MD5:2FEB5AD28FAE3DE286803C6CCC6491C0
                                                                                                                                                                                SHA1:C1A2CEEAF37778BBE0A187E8B6CC12E488224028
                                                                                                                                                                                SHA-256:E2460663CB2E97DD61AFB42E0310C026B8417D6C2C135F54D2DA90696BEA6FA4
                                                                                                                                                                                SHA-512:37D2FB967742A1207DFE763C276B7A1AE515F50A4D9D01A83951FF69D87FD33ED1CDBAB978AE8D3D7499CE7D0C3E756DC53711EA66E7B6E06758BCC511664B25
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Bu....{...{...{..[...{..l...{..l....{..l....{..l...{...z.<.{..l..{..l...{..l...{..l...{.Rich..{.................PE..L.....|\...........!.........................................................).....V.(...@..........................g!..|...P!.x....@(......................P(.P\.. ................................O!.@............................................text...z........................... ..`.rdata...D.......F..................@..@.data...0C....!..(....!.............@....rsrc........@(.......&.............@..@.reloc...f...P(..h....'.............@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                C:\Users\user\Desktop\status.log
                                                                                                                                                                                Process:C:\Users\user\Desktop\vnwareupdate.exe
                                                                                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):49
                                                                                                                                                                                Entropy (8bit):4.459012079154174
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:VX5AWFhM7tGcXmQsH:95zFhIVy
                                                                                                                                                                                MD5:0CC9CA4EEBC24138DD2670414CC67BF8
                                                                                                                                                                                SHA1:7955920ECD07264255CDC1F19F6567D46B64089A
                                                                                                                                                                                SHA-256:9B3137480785AD1A388E6FD43A9B0F5834B71108668161DC4CDEF6FC7FB5C25B
                                                                                                                                                                                SHA-512:8263B326E0AC3A34D873D7FEA2FBB4A50D014B5BB4D75616A101ED9B577B93B0FD9B392556A2FA7B62F3888E9901B90B3C331CF70DB9B57FEC5CA6828FC67BB6
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: Yara rules decryption took 1.12399260615 seconds.
                                                                                                                                                                                C:\Users\user\Desktop\tcl\auto.tcl
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):20622
                                                                                                                                                                                Entropy (8bit):4.702090946165969
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:384:XVJ4cB1RJtA61ZX2pP9leP9R5Hx39kcaBXhTEFHOW2ezBWdtnH:r4cB1RJtA61ZGpP/ePv39kc+6HOW2ezG
                                                                                                                                                                                MD5:3CB566DC97AC449B52D3952FDB7991C6
                                                                                                                                                                                SHA1:91300BC60D2A3156D4FC1D263726134F06325196
                                                                                                                                                                                SHA-256:6082F2EB2AF9CD53FD5AC819B19ACBF428027107CE0B80D9AD836CDE1D091B43
                                                                                                                                                                                SHA-512:F7D3B6D39BCB9E9C9BFF2E36852F15550C850DC5E8FD5DE150739A37F03179820430FFB6501465B6AB64CC7F2CAF11679C7FBDAADE7074FC61670138A715C92B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # auto.tcl --.#.# utility procs formerly in init.tcl dealing with auto execution.# of commands and can be auto loaded themselves..#.# Copyright (c) 1991-1993 The Regents of the University of California..# Copyright (c) 1994-1998 Sun Microsystems, Inc..#.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#..# auto_reset --.#.# Destroy all cached information for auto-loading and auto-execution,.# so that the information gets recomputed the next time it's needed..# Also delete any commands that are listed in the auto-load index..#.# Arguments: .# None...proc auto_reset {} {. global auto_execs auto_index auto_path. if {[array exists auto_index]} {..foreach cmdName [array names auto_index] {.. set fqcn [namespace which $cmdName].. if {$fqcn eq ""} {continue}.. rename $fqcn {}..}. }. unset -nocomplain auto_execs auto_index ::tcl::auto_oldpath. if {[catch {llength $auto_path}]} {..set auto_
                                                                                                                                                                                C:\Users\user\Desktop\tcl\clock.tcl
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):130266
                                                                                                                                                                                Entropy (8bit):4.996819531498253
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:YklVEuKDDeJrJGjGAui+ur0keui1IsE8csTImhrudLzprnl2EMwlU/oTHHSSyQSy:EDDeJrJvAui+ur0keui1R5csTImhr6Lp
                                                                                                                                                                                MD5:3AD7ED0D9A7B03A20D993B1D66BF5B15
                                                                                                                                                                                SHA1:EAD405C4F731810944FD02A737D553D13E8D9197
                                                                                                                                                                                SHA-256:D2AEFFA593947CA60BDA3EC7AE9D2B54273F9ED2F4A3D0B630A157AB3CD98FD4
                                                                                                                                                                                SHA-512:EA76B3C49A215E7D3FFCC4B8463E2D2B5752643769A6C12D0B907C2A80A497FCDD390119B51612B2E4958A3E9589A3C6A706756A1611108076A79D5D790FDC00
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: #----------------------------------------------------------------------.#.# clock.tcl --.#.#.This file implements the portions of the [clock] ensemble that.#.are coded in Tcl. Refer to the users' manual to see the description.#.of the [clock] command and its subcommands..#.#.#----------------------------------------------------------------------.#.# Copyright (c) 2004,2005,2006,2007 by Kevin B. Kenny.# See the file "license.terms" for information on usage and redistribution.# of this file, and for a DISCLAIMER OF ALL WARRANTIES..#.#----------------------------------------------------------------------..# We must have message catalogs that support the root locale, and.# we need access to the Registry on Windows systems...uplevel \#0 {. package require msgcat 1.4. if { $::tcl_platform(platform) eq {windows} } {..if { [catch { package require registry 1.1 }] } {.. namespace eval ::tcl::clock [list variable NoRegistry {}]..}. }.}..# Put the library directory into the namespace
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\ascii.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1090
                                                                                                                                                                                Entropy (8bit):2.009389929214244
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:5TUvEESVrVJ/eyN9j233V2NdWTeVCT0VbsV7EV7sYnVAMmVZyg851VqxsGkl/:5TUmJvRju3ShVbsZiAMiZyb7PF
                                                                                                                                                                                MD5:68D69C53B4A9F0AABD60646CA7E06DAE
                                                                                                                                                                                SHA1:DD83333DC1C838BEB9102F063971CCC20CC4FD80
                                                                                                                                                                                SHA-256:294C97175FD0894093B866E73548AE660AEED0C3CC1E73867EB66E52D34C0DD2
                                                                                                                                                                                SHA-512:48960E838D30401173EA0DF8597BB5D9BC3A09ED2CFFCB774BA50CB0B2ACCF47AAD3BA2782B3D4A92BEF572CBD98A3F4109FC4344DB82EB207BFDE4F61094D72
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: ascii, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E0000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\big5.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):92873
                                                                                                                                                                                Entropy (8bit):3.255311357682213
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:768:3kkmY4kD7HGJxYXIdjQWTGzvKHBDViIM1sbh+dJE+FKw0sXlWVvDg21jj9:cGfKqIQCGzv8D7ksb2Ur79jj9
                                                                                                                                                                                MD5:9E67816F304FA1A8E20D2270B3A53364
                                                                                                                                                                                SHA1:9E35EBF3D5380E34B92FE2744124F9324B901DD3
                                                                                                                                                                                SHA-256:465AE2D4880B8006B1476CD60FACF676875438244C1D93A7DBE4CDE1035E745F
                                                                                                                                                                                SHA-512:EE529DA3511EB8D73465EB585561D54833C46B8C31062299B46F5B9EE7EB5BE473E630AA264F45B2806FC1B480C8ED39A173FF1756CB6401B363568E951F0637
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: big5, multi-byte.M.003F 0 89.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0080008100820083008400850086008700880089008A008B008C008D008E008F.0090009100920093009400950096009700980099009A009B009C009D009E009F.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.0000000000000000000000000000000000000000000000000000000000000000.00000000000000000000000000000000000000000
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp1250.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1091
                                                                                                                                                                                Entropy (8bit):3.286986942547087
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CqTUmJvRju3ShVbsZiAMiZyb7Ptuja5z8twsDO4yT2H:JgmOEVIwAMiw/Ptuja5z8RDtyT2H
                                                                                                                                                                                MD5:79ACD9BD261A252D93C9D8DDC42B8DF6
                                                                                                                                                                                SHA1:FA2271030DB9005D71FAAD60B44767955D5432DD
                                                                                                                                                                                SHA-256:1B42DF7E7D6B0FEB17CB0BC8D97E6CE6899492306DD880C48A39D1A2F0279004
                                                                                                                                                                                SHA-512:607F21A84AE569B19DF42463A56712D232CA192E1827E53F3ACB46D373EF4165A38FFBF116E28D4EAAEF49B08F6162C7A1C517CCE2DFACA71DA07193FEFFFF06
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp1250, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC0081201A0083201E2026202020210088203001602039015A0164017D0179.009020182019201C201D202220132014009821220161203A015B0165017E017A.00A002C702D8014100A4010400A600A700A800A9015E00AB00AC00AD00AE017B.00B000B102DB014200B400B500B600B700B80105015F00BB013D02DD013E017C.015400C100C2010200C40139010600C7010C00C9011800CB011A00CD00CE010E.01100143014700D300D4015000D600D70158016E00DA017000DC00DD016200DF.015500E100E2010300E4013A010700E7010D00E
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp1251.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1091
                                                                                                                                                                                Entropy (8bit):3.288070862623515
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CTTUmJvRju3ShVbsZiAMiZyb7P4DRrwFsC/+H+SAJlM9aHe3cmx:wgmOEVIwAMiw/PStwFz/T5+smx
                                                                                                                                                                                MD5:55FB20FB09C610DB38C22CF8ADD4F7B8
                                                                                                                                                                                SHA1:604396D81FD2D90F5734FE6C3F283F8F19AABB64
                                                                                                                                                                                SHA-256:2D1BED2422E131A140087FAF1B12B8A46F7DE3B6413BAE8BC395C06F0D70B9B0
                                                                                                                                                                                SHA-512:07C6640BB40407C384BCF646CC436229AEC77C6398D57659B739DC4E180C81A1524F55A5A8F7B3F671A53320052AD888736383486CC01DFC317029079B17172E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp1251, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.04020403201A0453201E20262020202120AC203004092039040A040C040B040F.045220182019201C201D202220132014009821220459203A045A045C045B045F.00A0040E045E040800A4049000A600A7040100A9040400AB00AC00AD00AE0407.00B000B104060456049100B500B600B704512116045400BB0458040504550457.0410041104120413041404150416041704180419041A041B041C041D041E041F.0420042104220423042404250426042704280429042A042B042C042D042E042F.043004310432043304340435043604370438043
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp1252.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1091
                                                                                                                                                                                Entropy (8bit):3.2209074629945476
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:C4TUmJvRju3ShVbsZiAMiZyb7PMmVurcNvPNNAkbnMH+tjg:rgmOEVIwAMiw/PMhrUok7zE
                                                                                                                                                                                MD5:5900F51FD8B5FF75E65594EB7DD50533
                                                                                                                                                                                SHA1:2E21300E0BC8A847D0423671B08D3C65761EE172
                                                                                                                                                                                SHA-256:14DF3AE30E81E7620BE6BBB7A9E42083AF1AE04D94CF1203565F8A3C0542ACE0
                                                                                                                                                                                SHA-512:EA0455FF4CD5C0D4AFB5E79B671565C2AEDE2857D534E1371F0C10C299C74CB4AD113D56025F58B8AE9E88E2862F0864A4836FED236F5730360B2223FDE479DC
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp1252, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC0081201A0192201E20262020202102C62030016020390152008D017D008F.009020182019201C201D20222013201402DC21220161203A0153009D017E0178.00A000A100A200A300A400A500A600A700A800A900AA00AB00AC00AD00AE00AF.00B000B100B200B300B400B500B600B700B800B900BA00BB00BC00BD00BE00BF.00C000C100C200C300C400C500C600C700C800C900CA00CB00CC00CD00CE00CF.00D000D100D200D300D400D500D600D700D800D900DA00DB00DC00DD00DE00DF.00E000E100E200E300E400E500E600E700E800E
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp1253.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1091
                                                                                                                                                                                Entropy (8bit):3.3530146237761445
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CRTUmJvRju3ShVbsZiAMiZyb7PMuW24OrKUQQSqJWeIDmq:CgmOEVIwAMiw/PMuW2nKJQSqJWeI1
                                                                                                                                                                                MD5:2E5F553D214B534EBA29A9FCEEC36F76
                                                                                                                                                                                SHA1:8FF9A526A545D293829A679A2ECDD33AA6F9A90E
                                                                                                                                                                                SHA-256:2174D94E1C1D5AD93717B9E8C20569ED95A8AF51B2D3AB2BCE99F1A887049C0E
                                                                                                                                                                                SHA-512:44AB13C0D322171D5EE62946086058CF54963F91EC3F899F3A10D051F9828AC66D7E9F8055026E938DDD1B97A30D5D450B89D72F9113DEE2DBBB62DDBBBE456C
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp1253, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC0081201A0192201E20262020202100882030008A2039008C008D008E008F.009020182019201C201D20222013201400982122009A203A009C009D009E009F.00A00385038600A300A400A500A600A700A800A9000000AB00AC00AD00AE2015.00B000B100B200B3038400B500B600B703880389038A00BB038C00BD038E038F.0390039103920393039403950396039703980399039A039B039C039D039E039F.03A003A1000003A303A403A503A603A703A803A903AA03AB03AC03AD03AE03AF.03B003B103B203B303B403B503B603B703B803B
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp1254.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1091
                                                                                                                                                                                Entropy (8bit):3.2357714075228494
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CWTUmJvRju3ShVbsZiAMiZyb7PMSrcmvPNNAkKMH+tZL/M:lgmOEVIwAMiw/PMSrrokKzR0
                                                                                                                                                                                MD5:35AD7A8FC0B80353D1C471F6792D3FD8
                                                                                                                                                                                SHA1:484705A69596C9D813EA361625C3A45C6BB31228
                                                                                                                                                                                SHA-256:BC4CBE4C99FD65ABEA45FBDAF28CC1D5C42119280125FBBD5C2C11892AE460B2
                                                                                                                                                                                SHA-512:CCA3C6A4B826E0D86AC10E45FFC6E5001942AA1CF45B9E0229D56E06F2600DDA0139764F1222C56CF7A9C14E6E6C387F9AB265CB9B936E803FECD8285871C70F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp1254, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC0081201A0192201E20262020202102C62030016020390152008D008E008F.009020182019201C201D20222013201402DC21220161203A0153009D009E0178.00A000A100A200A300A400A500A600A700A800A900AA00AB00AC00AD00AE00AF.00B000B100B200B300B400B500B600B700B800B900BA00BB00BC00BD00BE00BF.00C000C100C200C300C400C500C600C700C800C900CA00CB00CC00CD00CE00CF.011E00D100D200D300D400D500D600D700D800D900DA00DB00DC0130015E00DF.00E000E100E200E300E400E500E600E700E800E
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp1255.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1091
                                                                                                                                                                                Entropy (8bit):3.267336792625871
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CfTUmJvRju3ShVbsZiAMiZyb7PMI22iEePlNQhv6l50b:MgmOEVIwAMiw/PMI27EsQhvgg
                                                                                                                                                                                MD5:0419DBEE405723E7A128A009DA06460D
                                                                                                                                                                                SHA1:660DBE4583923CBDFFF6261B1FADF4349658579C
                                                                                                                                                                                SHA-256:F8BD79AE5A90E5390D77DC31CB3065B0F93CB8813C9E67ACCEC72E2DB2027A08
                                                                                                                                                                                SHA-512:FDD9F23A1B5ABBF973BEE28642A7F28F767557FE842AF0B30B1CF97CD258892F82E547392390A51900DC7FF5D56433549A5CB463779FC131E885B00568F86A32
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp1255, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC0081201A0192201E20262020202102C62030008A2039008C008D008E008F.009020182019201C201D20222013201402DC2122009A203A009C009D009E009F.00A000A100A200A320AA00A500A600A700A800A900D700AB00AC00AD00AE00AF.00B000B100B200B300B400B500B600B700B800B900F700BB00BC00BD00BE00BF.05B005B105B205B305B405B505B605B705B805B9000005BB05BC05BD05BE05BF.05C005C105C205C305F005F105F205F305F40000000000000000000000000000.05D005D105D205D305D405D505D605D705D805D
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp1256.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1091
                                                                                                                                                                                Entropy (8bit):3.3332869352420795
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:C0TUmJvRju3ShVbsZiAMiZyb7Ps0pPESLym/cwPm+ZMZjyco/fQIG/h:XgmOEVIwAMiw/Ps0FPLym/AsBfg/h
                                                                                                                                                                                MD5:0FFA293AA50AD2795EAB7A063C4CCAE5
                                                                                                                                                                                SHA1:38FEE39F44E14C3A219978F8B6E4DA548152CFD6
                                                                                                                                                                                SHA-256:BBACEA81D4F7A3A7F3C036273A4534D31DBF8B6B5CCA2BCC4C00CB1593CF03D8
                                                                                                                                                                                SHA-512:AB4A6176C8C477463A6CABD603528CEB98EF4A7FB9AA6A8659E1AA6FE3F88529DB9635D41649FBAD779AEB4413F9D8581E6CA078393A3042B468E8CAE0FA0780
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp1256, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC067E201A0192201E20262020202102C62030067920390152068606980688.06AF20182019201C201D20222013201406A921220691203A0153200C200D06BA.00A0060C00A200A300A400A500A600A700A800A906BE00AB00AC00AD00AE00AF.00B000B100B200B300B400B500B600B700B800B9061B00BB00BC00BD00BE061F.06C1062106220623062406250626062706280629062A062B062C062D062E062F.063006310632063306340635063600D7063706380639063A0640064106420643.00E0064400E2064506460647064800E700E800E
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp1257.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1091
                                                                                                                                                                                Entropy (8bit):3.2734430397929604
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CNTUmJvRju3ShVbsZiAMiZyb7PtuWTfN641PaxUVG4da:ugmOEVIwAMiw/PtuWkgVfa
                                                                                                                                                                                MD5:A1CCD70248FEA44C0EBB51FB71D45F92
                                                                                                                                                                                SHA1:CC103C53B3BA1764714587EAEBD92CD1BC75194D
                                                                                                                                                                                SHA-256:4151434A714FC82228677C39B07908C4E19952FC058E26E7C3EBAB7724CE0C77
                                                                                                                                                                                SHA-512:74E4A13D65FAB11F205DB1E6D826B06DE421282F7461B273196FD7EECEE123EA0BD32711640B15B482C728966CC0C70FFC67AEDAD91566CA87CD623738E34726
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp1257, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC0081201A0083201E20262020202100882030008A2039008C00A802C700B8.009020182019201C201D20222013201400982122009A203A009C00AF02DB009F.00A0000000A200A300A4000000A600A700D800A9015600AB00AC00AD00AE00C6.00B000B100B200B300B400B500B600B700F800B9015700BB00BC00BD00BE00E6.0104012E0100010600C400C501180112010C00C90179011601220136012A013B.01600143014500D3014C00D500D600D701720141015A016A00DC017B017D00DF.0105012F0101010700E400E501190113010D00E
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp1258.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1091
                                                                                                                                                                                Entropy (8bit):3.226508038800896
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CKlTUmJvRju3ShVbsZiAMiZyb7PMIX2jmvPNNXkohWiZo//:xgmOEVIwAMiw/PMIXXfkohnun
                                                                                                                                                                                MD5:BB010BFF4DD16B05EEB6E33E5624767A
                                                                                                                                                                                SHA1:6294E42ED22D75679FF1464FF41D43DB3B1824C2
                                                                                                                                                                                SHA-256:0CDB59E255CCD7DCF4AF847C9B020AEAEE78CE7FCF5F214EBCF123328ACF9F24
                                                                                                                                                                                SHA-512:2CD34F75DC61DC1495B0419059783A5579932F43DB9B125CADCB3838A142E0C1CD7B42DB71EF103E268206E31099D6BB0670E84D5658C0E18D0905057FF87182
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp1258, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.20AC0081201A0192201E20262020202102C62030008A20390152008D008E008F.009020182019201C201D20222013201402DC2122009A203A0153009D009E0178.00A000A100A200A300A400A500A600A700A800A900AA00AB00AC00AD00AE00AF.00B000B100B200B300B400B500B600B700B800B900BA00BB00BC00BD00BE00BF.00C000C100C2010200C400C500C600C700C800C900CA00CB030000CD00CE00CF.011000D1030900D300D401A000D600D700D800D900DA00DB00DC01AF030300DF.00E000E100E2010300E400E500E600E700E800E
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp437.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1090
                                                                                                                                                                                Entropy (8bit):3.447501009231115
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CFyTUmJvRju3ShVbsZiAMiZyb7P4jpuKBIrRjK8DvmH:wygmOEVIwAMiw/PYwjKgmH
                                                                                                                                                                                MD5:8645C2DFCC4D5DAD2BCD53A180D83A2F
                                                                                                                                                                                SHA1:3F725245C66050D39D9234BAACE9D047A3842944
                                                                                                                                                                                SHA-256:D707A1F03514806E714F01CBFCB7C9F9973ACDC80C2D67BBD4E6F85223A50952
                                                                                                                                                                                SHA-512:208717D7B1CBDD8A0B8B3BE1B6F85353B5A094BDC370E6B8396158453DD7DC400EE6C4D60490AD1A1F4C943E733298FC971AE30606D6BAB14FB1290B886C76D0
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp437, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200E400E000E500E700EA00EB00E800EF00EE00EC00C400C5.00C900E600C600F400F600F200FB00F900FF00D600DC00A200A300A520A70192.00E100ED00F300FA00F100D100AA00BA00BF231000AC00BD00BC00A100AB00BB.259125922593250225242561256225562555256325512557255D255C255B2510.25142534252C251C2500253C255E255F255A25542569256625602550256C2567.2568256425652559255825522553256B256A2518250C25882584258C25902580.03B100DF039303C003A303C300B503C403A60398
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp737.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1090
                                                                                                                                                                                Entropy (8bit):3.551534707521956
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CjTUmJvRju3ShVbsZiAMiZyb7P48KhQFhWeYDr1K8DZckbiY:WgmOEVIwAMiw/P9KhQFhWeY31Kk2Y
                                                                                                                                                                                MD5:C68ADEFE02B77F6E6B5217CD83D46406
                                                                                                                                                                                SHA1:C95EA4ED3FBEF013D810C0BFB193B15FA8ADE7B8
                                                                                                                                                                                SHA-256:8BFCA34869B3F9A3B2FC71B02CBAC41512AF6D1F8AB17D2564E65320F88EDE10
                                                                                                                                                                                SHA-512:5CCAACD8A9795D4FE0FD2AC6D3E33C10B0BCC43B29B45DFBA66FBD180163251890BB67B8185D806E4341EB01CB1CED6EA682077577CC9ED948FC094B099A662A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp737, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.039103920393039403950396039703980399039A039B039C039D039E039F03A0.03A103A303A403A503A603A703A803A903B103B203B303B403B503B603B703B8.03B903BA03BB03BC03BD03BE03BF03C003C103C303C203C403C503C603C703C8.259125922593250225242561256225562555256325512557255D255C255B2510.25142534252C251C2500253C255E255F255A25542569256625602550256C2567.2568256425652559255825522553256B256A2518250C25882584258C25902580.03C903AC03AD03AE03CA03AF03CC03CD03CB03CE
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp775.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1090
                                                                                                                                                                                Entropy (8bit):3.3818286672990854
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CsOTUmJvRju3ShVbsZiAMiZyb7P4DBcqb67JnsUgqIPfJ:AgmOEVIwAMiw/PSzb67NsrLPR
                                                                                                                                                                                MD5:DE1282E2925870A277AF9DE4C52FA457
                                                                                                                                                                                SHA1:F4301A1340A160E1F282B5F98BF9FACBFA93B119
                                                                                                                                                                                SHA-256:44FB04B5C72B584B6283A99B34789690C627B5083C5DF6E8B5B7AB2C68903C06
                                                                                                                                                                                SHA-512:08173FC4E5FC9AA9BD1E296F299036E49C0333A876EA0BDF40BEC9F46120329A530B6AA57B32BC83C7AA5E6BD20DE9F616F4B17532EE54634B6799C31D8F668F
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp775, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.010600FC00E9010100E4012300E501070142011301560157012B017900C400C5.00C900E600C6014D00F6012200A2015A015B00D600DC00F800A300D800D700A4.0100012A00F3017B017C017A201D00A600A900AE00AC00BD00BC014100AB00BB.259125922593250225240104010C01180116256325512557255D012E01602510.25142534252C251C2500253C0172016A255A25542569256625602550256C017D.0105010D01190117012F01610173016B017E2518250C25882584258C25902580.00D300DF014C014300F500D500B5014401360137
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp850.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1090
                                                                                                                                                                                Entropy (8bit):3.301196372002172
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:C9TUmJvRju3ShVbsZiAMiZyb7P4jpuKBc+mTRF5aefDT4HJ:EgmOEVIwAMiw/PYelF5xfn4p
                                                                                                                                                                                MD5:FF3D96C0954843C7A78299FED6986D9E
                                                                                                                                                                                SHA1:5EAD37788D124D4EE49EC4B8AA1CF6AAA9C2849C
                                                                                                                                                                                SHA-256:55AA2D13B789B3125F5C9D0DC5B6E3A90D79426D3B7825DCD604F56D4C6E36A2
                                                                                                                                                                                SHA-512:B76CD82F3204E17D54FB679615120564C53BBE27CC474101EE073EFA6572B50DB2E9C258B09C0F7EAE8AC445D469461364C81838C07D41B43E353107C06C247E
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp850, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200E400E000E500E700EA00EB00E800EF00EE00EC00C400C5.00C900E600C600F400F600F200FB00F900FF00D600DC00F800A300D800D70192.00E100ED00F300FA00F100D100AA00BA00BF00AE00AC00BD00BC00A100AB00BB.2591259225932502252400C100C200C000A9256325512557255D00A200A52510.25142534252C251C2500253C00E300C3255A25542569256625602550256C00A4.00F000D000CA00CB00C8013100CD00CE00CF2518250C2588258400A600CC2580.00D300DF00D400D200F500D500B500FE00DE00DA
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp852.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1090
                                                                                                                                                                                Entropy (8bit):3.3816687566591797
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CPTUmJvRju3ShVbsZiAMiZyb7P4OvEUs5ycHQjc59X/C:mgmOEVIwAMiw/Pkv5ycHQjc59Xa
                                                                                                                                                                                MD5:25A59EA83B8E9F3322A54B138861E274
                                                                                                                                                                                SHA1:904B357C30603DFBCF8A10A054D9399608B131DF
                                                                                                                                                                                SHA-256:5266B6F18C3144CFADBCB7B1D27F0A7EAA1C641FD3B33905E42E4549FD373770
                                                                                                                                                                                SHA-512:F7E41357849599E7BA1D47B9B2E615C3C2EF4D432978251418EBF9314AAEB0E1B0A56ED14ED9BA3BE46D3DABE5DD80E0CA6592AE88FB1923E7C3D90D7F846709
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp852, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200E4016F010700E7014200EB0150015100EE017900C40106.00C90139013A00F400F6013D013E015A015B00D600DC01640165014100D7010D.00E100ED00F300FA01040105017D017E0118011900AC017A010C015F00AB00BB.2591259225932502252400C100C2011A015E256325512557255D017B017C2510.25142534252C251C2500253C01020103255A25542569256625602550256C00A4.01110110010E00CB010F014700CD00CE011B2518250C258825840162016E2580.00D300DF00D401430144014801600161015400DA
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp855.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1090
                                                                                                                                                                                Entropy (8bit):3.3580450853378596
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CoTUmJvRju3ShVbsZiAMiZyb7P4hHVLjwk6rMZCb32SLauDbr:hgmOEVIwAMiw/PM/wcMb3VuuT
                                                                                                                                                                                MD5:0220F1955F01B676D2595C30DEFB6064
                                                                                                                                                                                SHA1:F8BD4BF6D95F672CB61B8ECAB580A765BEBDAEA5
                                                                                                                                                                                SHA-256:E3F071C63AC43AF66061506EF2C574C35F7BF48553FB5158AE41D9230C1A10DF
                                                                                                                                                                                SHA-512:F7BFF7D6534C9BFDBF0FB0147E31E948F60E933E6DA6A39E8DC62CC55FEBDD6901240460D7B3C0991844CDEE7EB8ED26E5FDBBC12BDC9B8173884D8FCA123B69
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp855, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.0452040204530403045104010454040404550405045604060457040704580408.04590409045A040A045B040B045C040C045E040E045F040F044E042E044A042A.0430041004310411044604260434041404350415044404240433041300AB00BB.259125922593250225240445042504380418256325512557255D043904192510.25142534252C251C2500253C043A041A255A25542569256625602550256C00A4.043B041B043C041C043D041D043E041E043F2518250C25882584041F044F2580.042F044004200441042104420422044304230436
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp857.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1090
                                                                                                                                                                                Entropy (8bit):3.2936796452153128
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CaTUmJvRju3ShVbsZiAMiZyb7P4jpu6u/5WH5aeoC4ljIJ:jgmOEVIwAMiw/Pr/UH5xp4l6
                                                                                                                                                                                MD5:58C52199269A3BB52C3E4C20B5CE6093
                                                                                                                                                                                SHA1:888499D9DFDF75C60C2770386A4500F35753CE70
                                                                                                                                                                                SHA-256:E39985C6A238086B54427475519C9E0285750707DB521D1820E639723C01C36F
                                                                                                                                                                                SHA-512:754667464C4675E8C8F2F88A9211411B3648068085A898D693B33BF3E1FAECC9676805FD2D1A4B19FAAB30E286236DCFB2FC0D498BF9ABD9A5E772B340CEE768
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp857, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200E400E000E500E700EA00EB00E800EF00EE013100C400C5.00C900E600C600F400F600F200FB00F9013000D600DC00F800A300D8015E015F.00E100ED00F300FA00F100D1011E011F00BF00AE00AC00BD00BC00A100AB00BB.2591259225932502252400C100C200C000A9256325512557255D00A200A52510.25142534252C251C2500253C00E300C3255A25542569256625602550256C00A4.00BA00AA00CA00CB00C8000000CD00CE00CF2518250C2588258400A600CC2580.00D300DF00D400D200F500D500B5000000D700DA
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp860.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1090
                                                                                                                                                                                Entropy (8bit):3.438607583601603
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CMTUmJvRju3ShVbsZiAMiZyb7P4Aj4AxOt49+nK8DvmH:VgmOEVIwAMiw/PeR+snKgmH
                                                                                                                                                                                MD5:8CA7C4737A18D5326E9A437D5ADC4A1A
                                                                                                                                                                                SHA1:C6B1E9320EEF46FC9A23437C255E4085EA2980DB
                                                                                                                                                                                SHA-256:6DB59139627D29ABD36F38ED2E0DE2A6B234A7D7E681C7DBAF8B888F1CAC49A5
                                                                                                                                                                                SHA-512:2D2427E7A3FF18445321263A42C6DA560E0250691ACBE5113BDE363B36B5E9929003F3C91769A02FF720AB8261429CBFA9D9580C1065FFE77400327B1A5539A6
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp860, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200E300E000C100E700EA00CA00E800CD00D400EC00C300C2.00C900C000C800F400F500F200DA00F900CC00D500DC00A200A300D920A700D3.00E100ED00F300FA00F100D100AA00BA00BF00D200AC00BD00BC00A100AB00BB.259125922593250225242561256225562555256325512557255D255C255B2510.25142534252C251C2500253C255E255F255A25542569256625602550256C2567.2568256425652559255825522553256B256A2518250C25882584258C25902580.03B100DF039303C003A303C300B503C403A60398
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp861.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1090
                                                                                                                                                                                Entropy (8bit):3.4494568686644276
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:ClTUmJvRju3ShVbsZiAMiZyb7P4jpOkPn9R2GRK8DvmH:8gmOEVIwAMiw/PAPXvKgmH
                                                                                                                                                                                MD5:45F0D888DBCB56703E8951C06CFAED51
                                                                                                                                                                                SHA1:53529772EA6322B7949DB73EEBAED91E5A5BA3DA
                                                                                                                                                                                SHA-256:A43A5B58BFC57BD723B12BBDEA9F6E1A921360B36D2D52C420F37299788442D3
                                                                                                                                                                                SHA-512:61D0C361E1C7D67193409EC327568867D1FD0FE448D11F16A08638D3EE31BE95AD37B8A2E67B8FB448D09489AA3F5D65AD9AC18E9BDC690A049F0C015BA806F1
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp861, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200E400E000E500E700EA00EB00E800D000F000DE00C400C5.00C900E600C600F400F600FE00FB00DD00FD00D600DC00F800A300D820A70192.00E100ED00F300FA00C100CD00D300DA00BF231000AC00BD00BC00A100AB00BB.259125922593250225242561256225562555256325512557255D255C255B2510.25142534252C251C2500253C255E255F255A25542569256625602550256C2567.2568256425652559255825522553256B256A2518250C25882584258C25902580.03B100DF039303C003A303C300B503C403A60398
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp862.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1090
                                                                                                                                                                                Entropy (8bit):3.4900477558394694
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CdMTUmJvRju3ShVbsZiAMiZyb7P4N6rRjK8DvmH:iMgmOEVIwAMiw/PljKgmH
                                                                                                                                                                                MD5:E417DCE52E8438BBE9AF8AD51A09F9E3
                                                                                                                                                                                SHA1:EF273671D46815F22996EA632D22CC27EB8CA44B
                                                                                                                                                                                SHA-256:AEA716D490C35439621A8F00CA7E4397EF1C70428E206C5036B7AF25F1C3D82F
                                                                                                                                                                                SHA-512:97D65E05008D75BC56E162D51AB76888E1FA0591D9642D7C0D09A5CE823904B5D6C14214828577940EDBE7F0265ABACDD67E4E12FACFDF5C7CD35FA80B90EC02
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp862, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.05D005D105D205D305D405D505D605D705D805D905DA05DB05DC05DD05DE05DF.05E005E105E205E305E405E505E605E705E805E905EA00A200A300A520A70192.00E100ED00F300FA00F100D100AA00BA00BF231000AC00BD00BC00A100AB00BB.259125922593250225242561256225562555256325512557255D255C255B2510.25142534252C251C2500253C255E255F255A25542569256625602550256C2567.2568256425652559255825522553256B256A2518250C25882584258C25902580.03B100DF039303C003A303C300B503C403A60398
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp863.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1090
                                                                                                                                                                                Entropy (8bit):3.450081751310228
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CXTUmJvRju3ShVbsZiAMiZyb7P4aGuXVsq5RNK8DvmH:egmOEVIwAMiw/PT3VswKgmH
                                                                                                                                                                                MD5:A2C4062EB4F37C02A45B13BD08EC1120
                                                                                                                                                                                SHA1:7F6ED89BD0D415C64D0B8A037F08A47FEADD14C4
                                                                                                                                                                                SHA-256:13B5CB481E0216A8FC28BFA9D0F6B060CDF5C457B3E12435CA826EB2EF52B068
                                                                                                                                                                                SHA-512:95EFDA8CBC5D52E178640A145859E95A780A8A25D2AF88F98E8FFFA035016CABAE2259D22B3D6A95316F64138B578934FAF4C3403E35C4B7D42E0369B5D88C9B
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp863, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.0020002100220023002400250026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00C700FC00E900E200C200E000B600E700EA00EB00E800EF00EE201700C000A7.00C900C800CA00F400CB00CF00FB00F900A400D400DC00A200A300D900DB0192.00A600B400F300FA00A800B800B300AF00CE231000AC00BD00BC00BE00AB00BB.259125922593250225242561256225562555256325512557255D255C255B2510.25142534252C251C2500253C255E255F255A25542569256625602550256C2567.2568256425652559255825522553256B256A2518250C25882584258C25902580.03B100DF039303C003A303C300B503C403A60398
                                                                                                                                                                                C:\Users\user\Desktop\tcl\encoding\cp864.enc
                                                                                                                                                                                Process:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                File Type:Unknown
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1090
                                                                                                                                                                                Entropy (8bit):3.6558830653506647
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:CwTUmJvRju3YhVbsZiAMiZyb7P46SY927iqtcYQjDUjSD:5gmOqVIwAMiw/PCXjcYQfcSD
                                                                                                                                                                                MD5:3C88BF83DBA99F7B682120FBEEC57336
                                                                                                                                                                                SHA1:E0CA400BAE0F66EEBE4DFE147C5A18DD3B00B78C
                                                                                                                                                                                SHA-256:E87EC076F950FCD58189E362E1505DD55B0C8F4FA7DD1A9331C5C111D2CE569F
                                                                                                                                                                                SHA-512:6BD65D0A05F57333DA0078759DB2FC629B56C47DAB24E231DE41AD0DF3D07BF7A2A55D1946A7BA38BE228D415FB2BDB606BF1EF243974ED7DFD204548B2A43BA
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview: # Encoding file: cp864, single-byte.S.003F 0 1.00.0000000100020003000400050006000700080009000A000B000C000D000E000F.0010001100120013001400150016001700180019001A001B001C001D001E001F.00200021002200230024066A0026002700280029002A002B002C002D002E002F.0030003100320033003400350036003700380039003A003B003C003D003E003F.0040004100420043004400450046004700480049004A004B004C004D004E004F.0050005100520053005400550056005700580059005A005B005C005D005E005F.0060006100620063006400650066006700680069006A006B006C006D006E006F.0070007100720073007400750076007700780079007A007B007C007D007E007F.00B000B72219221A259225002502253C2524252C251C25342510250C25142518.03B2221E03C600B100BD00BC224800AB00BBFEF7FEF8009B009CFEFBFEFC009F.00A000ADFE8200A300A4FE8400000000FE8EFE8FFE95FE99060CFE9DFEA1FEA5.0660066106620663066406650666066706680669FED1061BFEB1FEB5FEB9061F.00A2FE80FE81FE83FE85FECAFE8BFE8DFE91FE93FE97FE9BFE9FFEA3FEA7FEA9.FEABFEADFEAFFEB3FEB7FEBBFEBFFEC1FEC5FECBFECF00A600AC00F700D7FEC9.0640FED3FED7FEDBFEDFFEE3FEE7FEEBFEEDFEEF

                                                                                                                                                                                Static File Info

                                                                                                                                                                                General

                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                Entropy (8bit):7.998820071583367
                                                                                                                                                                                TrID:
                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                File name:GZe6EcSTpO.exe
                                                                                                                                                                                File size:16770272
                                                                                                                                                                                MD5:87e0355c098d2dfd890ae4c9da26bbdd
                                                                                                                                                                                SHA1:5f300f4dd15cccbe51cd4df51ac30b7c2c84fc75
                                                                                                                                                                                SHA256:570c3c298c2d30bfd7d824b0ec8e28b3efa51bf269297348fc5fc30cb81a2d7e
                                                                                                                                                                                SHA512:48767a16b133dd434d7902c5785205807d55f85f977370414a279f3ee9088f07a256ccfdaf3a9d8ac7d60f11a9dd72008835bb95c4e98e42870b8a8c33486348
                                                                                                                                                                                SSDEEP:393216:OoAS/3t2zQuoUrh/dSRsY9+bpNIAQ4tpy0GMxn0UDIpFKHgBM:VD/dUQjD9jAQdMxM2HgBM
                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...)..\.................d...|.....

                                                                                                                                                                                File Icon

                                                                                                                                                                                Icon Hash:e0d08cf8d8ccc8e0

                                                                                                                                                                                Static PE Info

                                                                                                                                                                                General

                                                                                                                                                                                Entrypoint:0x40320c
                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                                Time Stamp:0x5C157F29 [Sat Dec 15 22:24:41 2018 UTC]
                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                OS Version Major:4
                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                File Version Major:4
                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                Import Hash:3abe302b6d9a1256e6a915429af4ffd2

                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                Instruction
                                                                                                                                                                                sub esp, 00000184h
                                                                                                                                                                                push ebx
                                                                                                                                                                                push esi
                                                                                                                                                                                push edi
                                                                                                                                                                                xor ebx, ebx
                                                                                                                                                                                push 00008001h
                                                                                                                                                                                mov dword ptr [esp+18h], ebx
                                                                                                                                                                                mov dword ptr [esp+10h], 0040A198h
                                                                                                                                                                                mov dword ptr [esp+20h], ebx
                                                                                                                                                                                mov byte ptr [esp+14h], 00000020h
                                                                                                                                                                                call dword ptr [004080A0h]
                                                                                                                                                                                call dword ptr [0040809Ch]
                                                                                                                                                                                and eax, BFFFFFFFh
                                                                                                                                                                                cmp ax, 00000006h
                                                                                                                                                                                mov dword ptr [0042F40Ch], eax
                                                                                                                                                                                je 00007F66B8AE8C63h
                                                                                                                                                                                push ebx
                                                                                                                                                                                call 00007F66B8AEBD3Ah
                                                                                                                                                                                cmp eax, ebx
                                                                                                                                                                                je 00007F66B8AE8C59h
                                                                                                                                                                                push 00000C00h
                                                                                                                                                                                call eax
                                                                                                                                                                                mov esi, 00408298h
                                                                                                                                                                                push esi
                                                                                                                                                                                call 00007F66B8AEBCB6h
                                                                                                                                                                                push esi
                                                                                                                                                                                call dword ptr [00408098h]
                                                                                                                                                                                lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                                                cmp byte ptr [esi], bl
                                                                                                                                                                                jne 00007F66B8AE8C3Dh
                                                                                                                                                                                push 0000000Ah
                                                                                                                                                                                call 00007F66B8AEBD0Eh
                                                                                                                                                                                push 00000008h
                                                                                                                                                                                call 00007F66B8AEBD07h
                                                                                                                                                                                push 00000006h
                                                                                                                                                                                mov dword ptr [0042F404h], eax
                                                                                                                                                                                call 00007F66B8AEBCFBh
                                                                                                                                                                                cmp eax, ebx
                                                                                                                                                                                je 00007F66B8AE8C61h
                                                                                                                                                                                push 0000001Eh
                                                                                                                                                                                call eax
                                                                                                                                                                                test eax, eax
                                                                                                                                                                                je 00007F66B8AE8C59h
                                                                                                                                                                                or byte ptr [0042F40Fh], 00000040h
                                                                                                                                                                                push ebp
                                                                                                                                                                                call dword ptr [00408044h]
                                                                                                                                                                                push ebx
                                                                                                                                                                                call dword ptr [00408288h]
                                                                                                                                                                                mov dword ptr [0042F4D8h], eax
                                                                                                                                                                                push ebx
                                                                                                                                                                                lea eax, dword ptr [esp+38h]
                                                                                                                                                                                push 00000160h
                                                                                                                                                                                push eax
                                                                                                                                                                                push ebx
                                                                                                                                                                                push 00429830h
                                                                                                                                                                                call dword ptr [00408178h]
                                                                                                                                                                                push 0040A188h

                                                                                                                                                                                Rich Headers

                                                                                                                                                                                Programming Language:
                                                                                                                                                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                Data Directories

                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x853c0xa0.rdata
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x3c40.rsrc
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x298.rdata
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                Sections

                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                .text0x10000x628f0x6400False0.6700390625data6.44220708071IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                .rdata0x80000x135c0x1400False0.4611328125data5.24004347634IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                .data0xa0000x255180x600False0.455078125data4.0493801016IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                .rsrc0x380000x3c400x3e00False0.637978830645data6.04106553494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                Resources

                                                                                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                                                                                RT_ICON0x382500x10a8dataEnglishUnited States
                                                                                                                                                                                RT_ICON0x392f80xea8dataEnglishUnited States
                                                                                                                                                                                RT_ICON0x3a1a00x8a8dataEnglishUnited States
                                                                                                                                                                                RT_ICON0x3aa480x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                                RT_ICON0x3afb00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                                RT_ICON0x3b4180x2e8dataEnglishUnited States
                                                                                                                                                                                RT_ICON0x3b7000x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                                                                                                RT_DIALOG0x3b8280x60dataEnglishUnited States
                                                                                                                                                                                RT_GROUP_ICON0x3b8880x68dataEnglishUnited States
                                                                                                                                                                                RT_MANIFEST0x3b8f00x349XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                                                                                                Imports

                                                                                                                                                                                DLLImport
                                                                                                                                                                                KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
                                                                                                                                                                                USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                                                                                                                                                                GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                                                                SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
                                                                                                                                                                                ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                                                                                                COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                                                                ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                                                                Possible Origin

                                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                EnglishUnited States

                                                                                                                                                                                Network Behavior

                                                                                                                                                                                No network behavior found

                                                                                                                                                                                Code Manipulations

                                                                                                                                                                                Statistics

                                                                                                                                                                                Behavior

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                System Behavior

                                                                                                                                                                                General

                                                                                                                                                                                Start time:13:46:03
                                                                                                                                                                                Start date:02/04/2021
                                                                                                                                                                                Path:C:\Users\user\Desktop\GZe6EcSTpO.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:'C:\Users\user\Desktop\GZe6EcSTpO.exe'
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:16770272 bytes
                                                                                                                                                                                MD5 hash:87E0355C098D2DFD890AE4C9DA26BBDD
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:low

                                                                                                                                                                                General

                                                                                                                                                                                Start time:13:46:09
                                                                                                                                                                                Start date:02/04/2021
                                                                                                                                                                                Path:C:\Users\user\Desktop\vnwareupdate.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:'C:\Users\user\Desktop\vnwareupdate.exe' -r tNdLZso+RbiqYzcNMmDUvJn8W3VMjDSxgB461SVTbrzMmtabvNhkHuZIvNduUGjO7UzqsUnmuPq7GKNjbUUEmbjXWxezy7xJ04G+icWNgQLiwxU/H/LMW24G/9O1+8K4oWZz+411UOx9sxEV6gpox/NT3jtp1cMUSmDDWI3Abi8XrFiOXG8AgMkOFBVNgdv0d+Dha+cRprvunFNJBh/+mVDp1EkdsXXU0eMQcUpns8p6kdiZ4rFZD4y5oVgqOEZ9Po4Z4HgwiHmPwR8ajszuHS68AdaUj0pH0IEHv2mNV71t2soPIKLuE6vIlqTHadsqd5m4qTWlE5yUZYw6YMMgmll72lf1E232p9MVl4yhetYBzNx+sWPE+DpILBlSmddPucuORCpaLa5yzRa7ZbJ98jQfjCVZUbyNMn5Vxk30OIGoBOyrsN0VmKcdDsRZxUCHQhupf0BXrgN7wh46haut8zZzv6puQEmuGL/8u2wQFQEd9pNBJ0Rlv3QP/bjyE945wMYCc6Xz4QLd03mLiDwTqcCYAP/KGG8Yhr3pv/YbSaeW0WUI4zwTjoJArSp8wQL4F7Eb5XLV6Id8VVowmbmosktt/RQUrLvThJExvG5SvJP/mUR4/fnp2sNhMJrQ0VYv8PabCT5DFqxapVfyOG02/QYIIhU=
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:10752 bytes
                                                                                                                                                                                MD5 hash:FA8AFFACE280644885152DE7CD3234EE
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 00000003.00000002.522931627.000000000237B000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf, Description: Metasploit Payloads - file msf.sh, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_psh, Description: Metasploit Payloads - file msf-psh.vba, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_exe, Description: Metasploit Payloads - file msf-exe.vba, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_3, Description: Metasploit Payloads - file msf.psh, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_4, Description: Metasploit Payloads - file msf.aspx, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_cmd, Description: Metasploit Payloads - file msf-cmd.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_Meterpreter_inMemory, Description: Detects Meterpreter in-memory, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: netbiosX, Florian Roth
                                                                                                                                                                                • Rule: PowerShell_ISESteroids_Obfuscation, Description: Detects PowerShell ISESteroids obfuscation, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Payload_Exe2Hex, Description: Detects payload generated by exe2hex, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Codoso_CustomTCP_4, Description: Detects Codoso APT CustomTCP Malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Codoso_PGV_PVID_1, Description: Detects Codoso APT PGV PVID Malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: GhostDragon_Gh0stRAT, Description: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: GhostDragon_Gh0stRAT_Sample2, Description: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: CoreImpact_sysdll_exe, Description: Detects a malware sysdll.exe from the Rocket Kitten APT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Reflective_DLL_Loader_Aug17_1, Description: Detects Reflective DLL Loader, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Reflective_DLL_Loader_Aug17_2, Description: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Reflective_DLL_Loader_Aug17_3, Description: Detects Reflective DLL Loader, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WoolenGoldfish_Sample_1, Description: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WoolenGoldfish_Generic_3, Description: Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: QuarksPwDump_Gen, Description: Detects all QuarksPWDump versions, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_create_dns_injection, Description: EQGRP Toolset Firewall - file create_dns_injection.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_screamingplow, Description: EQGRP Toolset Firewall - file screamingplow.sh, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_MixText, Description: EQGRP Toolset Firewall - file MixText.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_tunnel_state_reader, Description: EQGRP Toolset Firewall - file tunnel_state_reader, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_payload, Description: EQGRP Toolset Firewall - file payload.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_eligiblecandidate, Description: EQGRP Toolset Firewall - file eligiblecandidate.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_BUSURPER_2211_724, Description: EQGRP Toolset Firewall - file BUSURPER-2211-724.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_networkProfiler_orderScans, Description: EQGRP Toolset Firewall - file networkProfiler_orderScans.sh, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_epicbanana_2_1_0_1, Description: EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_sniffer_xml2pcap, Description: EQGRP Toolset Firewall - file sniffer_xml2pcap, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_BananaAid, Description: EQGRP Toolset Firewall - file BananaAid, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_config_jp1_UA, Description: EQGRP Toolset Firewall - file config_jp1_UA.pl, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_userscript, Description: EQGRP Toolset Firewall - file userscript.FW, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_BUSURPER_3001_724, Description: EQGRP Toolset Firewall - file BUSURPER-3001-724.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_workit, Description: EQGRP Toolset Firewall - file workit.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_tinyhttp_setup, Description: EQGRP Toolset Firewall - file tinyhttp_setup.sh, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_EPBA, Description: EQGRP Toolset Firewall - file EPBA.script, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_jetplow_SH, Description: EQGRP Toolset Firewall - file jetplow.sh, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_extrabacon, Description: EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_sploit_py, Description: EQGRP Toolset Firewall - file sploit.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_uninstallPBD, Description: EQGRP Toolset Firewall - file uninstallPBD.bat, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_BICECREAM, Description: EQGRP Toolset Firewall - file BICECREAM-2140, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_BFLEA_2201, Description: EQGRP Toolset Firewall - file BFLEA-2201.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_StoreFc, Description: EQGRP Toolset Firewall - file StoreFc.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_BBALL, Description: EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_BARPUNCH_BPICKER, Description: EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_Implants_Gen5, Description: EQGRP Toolset Firewall, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_pandarock, Description: EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_BananaUsurper_writeJetPlow, Description: EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_Implants_Gen4, Description: EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_Implants_Gen3, Description: EQGRP Toolset Firewall, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_BLIAR_BLIQUER, Description: EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_sploit, Description: EQGRP Toolset Firewall - from files sploit.py, sploit.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_Implants_Gen2, Description: EQGRP Toolset Firewall, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_Implants_Gen1, Description: EQGRP Toolset Firewall, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_ssh_telnet_29, Description: EQGRP Toolset Firewall - from files ssh.py, telnet.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_callbacks, Description: EQGRP Toolset Firewall - Callback addresses, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_Extrabacon_Output, Description: EQGRP Toolset Firewall - Extrabacon exploit output, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EQGRP_Unique_Strings, Description: EQGRP Toolset Firewall - Unique strings, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: kerberoast_PY, Description: Auto-generated rule - file kerberoast.py, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: p0wnedPowerCat, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: p0wnedPotato, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: p0wnedExploits, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: p0wnedBinaries, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: p0wnedAmsiBypass, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: p0wnedShell_outputs, Description: p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PlugX_J16_Gen2, Description: Detects PlugX Malware Samples from June 2016, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Venom_Rootkit, Description: Venom Linux Rootkit, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ps1_toolkit_Invoke_Shellcode, Description: Auto-generated rule - file Invoke-Shellcode.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ps1_toolkit_Invoke_Mimikatz, Description: Auto-generated rule - file Invoke-Mimikatz.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ps1_toolkit_Invoke_RelfectivePEInjection, Description: Auto-generated rule - file Invoke-RelfectivePEInjection.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ps1_toolkit_Persistence, Description: Auto-generated rule - file Persistence.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection, Description: Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ps1_toolkit_Inveigh_BruteForce_2, Description: Auto-generated rule - from files Inveigh-BruteForce.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ps1_toolkit_Persistence_2, Description: Auto-generated rule - from files Persistence.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ps1_toolkit_Inveigh_BruteForce_3, Description: Auto-generated rule - from files Inveigh-BruteForce.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Casper_Included_Strings, Description: Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Casper_SystemInformation_Output, Description: Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Backdoor_Redosdru_Jun17, Description: Detects malware Redosdru - file systemHome.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: IronGate_APT_Step7ProSim_Gen, Description: Detects IronGate APT Malware - Step7ProSim DLL, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ZxShell_Jul17, Description: Detects a ZxShell - CN threat group, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: DeepPanda_lot1, Description: Hack Deep Panda - lot1.tmp-pwdump, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: DeepPanda_htran_exe, Description: Hack Deep Panda - htran-exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EternalRocks_taskhost, Description: Detects EternalRocks Malware - file taskhost.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: PwDump, Description: PwDump 6 variant, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Marc Stroebel
                                                                                                                                                                                • Rule: HackTool_Samples, Description: Hacktool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Fierce2, Description: This signature detects the Fierce2 domain scanner, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Ncrack, Description: This signature detects the Ncrack brute force tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PortScanner, Description: Auto-generated rule on file PortScanner.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: NetBIOS_Name_Scanner, Description: Auto-generated rule on file NetBIOS Name Scanner.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: FeliksPack3___Scanners_ipscan, Description: Auto-generated rule on file ipscan.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: IP_Stealing_Utilities, Description: Auto-generated rule on file IP Stealing Utilities.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Powershell_Netcat, Description: Detects a Powershell version of the Netcat network hacking tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Hacktools_CN_Burst_pass, Description: Disclosed hacktool set - file pass.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Hacktools_CN_Burst_Start, Description: Disclosed hacktool set - file Start.bat - DoS tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Hacktools_CN_Burst_Blast, Description: Disclosed hacktool set - file Blast.bat, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EditKeyLogReadMe, Description: Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PassSniffer_zip_Folder_readme, Description: Disclosed hacktool set (old stuff) - file readme.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Jc_WinEggDrop_Shell, Description: Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: LinuxHacktool_eyes_a, Description: Linux hack tools - file a, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: CN_Toolset_sig_1433_135_sqlr, Description: Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VSSown_VBS, Description: Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Linux_Portscan_Shark_2, Description: Detects Linux Port Scanner Shark, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WCE_in_memory, Description: Detects Windows Credential Editor (WCE) in memory (and also on disk), Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: pstgdump, Description: Detects a tool used by APT groups - file pstgdump.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: lsremora, Description: Detects a tool used by APT groups, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: cachedump, Description: Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PwDump_B, Description: Detects a tool used by APT groups - file PwDump.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: MSBuild_Mimikatz_Execution_via_XML, Description: Detects an XML that executes Mimikatz on an endpoint via MSBuild, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Disclosed_0day_POCs_injector, Description: Detects POC code from disclosed 0day hacktool set, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ProcessInjector_Gen, Description: Detects a process injection utility that can be used ofr good and bad purposes, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Lazagne_PW_Dumper, Description: Detects Lazagne PW Dumper, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Markus Neis / Florian Roth
                                                                                                                                                                                • Rule: SUSP_shellpop_Bash, Description: Detects susupicious bash command, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Tobias Michalski
                                                                                                                                                                                • Rule: HKTL_Lazagne_Gen_18, Description: Detects Lazagne password extractor hacktool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_NoPowerShell, Description: Detects NoPowerShell hack tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_LNX_Pnscan, Description: Detects Pnscan port scanner, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_PupyRAT_PY, Description: Detects Pupy RAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Suspicious_Script_Running_from_HTTP, Description: Detects a suspicious , Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: SUSP_Netsh_PortProxy_Command, Description: Detects a suspicious command line with netsh and the portproxy command, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Nanocore_RAT_Gen_1, Description: Detetcs the Nanocore RAT and similar malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_Turla_Agent_BTZ_Gen_1, Description: Detects Turla Agent.BTZ, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_Malware_CommentCrew_MiniASP, Description: CommentCrew Malware MiniASP APT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: IMPLANT_3_v1, Description: X-Agent/CHOPSTICK Implant by APT28, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: US CERT
                                                                                                                                                                                • Rule: Industroyer_Portscan_3_Output, Description: Detects Industroyer related custom port scaner output file, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Industroyer_Malware_5, Description: Detects Industroyer related malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Unit78020_Malware_Gen1, Description: Detects malware by Chinese APT PLA Unit 78020 - Generic Rule, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Unit78020_Malware_Gen3, Description: Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WindowsShell_s3, Description: Detects simple Windows shell - file s3.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WindosShell_s1, Description: Detects simple Windows shell - file s1.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WindowsShell_Gen, Description: Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WindowsShell_Gen2, Description: Detects simple Windows shell - from files s3.exe, s4.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PassCV_Sabre_Malware_2, Description: PassCV Malware mentioned in Cylance Report, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Turla_APT_Malware_Gen1, Description: Detects Turla malware (based on sample used in the RUAG APT case), Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Turla_APT_Malware_Gen2, Description: Detects Turla malware (based on sample used in the RUAG APT case), Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Turla_APT_Malware_Gen3, Description: Detects Turla malware (based on sample used in the RUAG APT case), Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: redSails_PY, Description: Detects Red Sails Hacktool - Python, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_Malware_PutterPanda_Rel, Description: Detects an APT malware related to PutterPanda, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Rehashed_RAT_2, Description: Detects malware from Rehashed RAT incident, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Malware_QA_vqgk, Description: VT Research QA uploaded malware - file vqgk.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: IronPanda_DNSTunClient, Description: Iron Panda malware DnsTunClient - file named.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: IronPanda_Malware_Htran, Description: Iron Panda Malware Htran, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PP_CN_APT_ZeroT_3, Description: Detects malware from the Proofpoint CN APT ZeroT incident, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PP_CN_APT_ZeroT_5, Description: Detects malware from the Proofpoint CN APT ZeroT incident, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: CN_APT_ZeroT_extracted_Mcutil, Description: Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Microcin_Sample_5, Description: Malware sample mentioned in Microcin technical report by Kaspersky, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: clearlog, Description: Detects Fireball malware - file clearlog.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PS_AMSI_Bypass, Description: Detects PowerShell AMSI Bypass, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: JS_Suspicious_MSHTA_Bypass, Description: Detects MSHTA Bypass, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: JavaScript_Run_Suspicious, Description: Detects a suspicious Javascript Run command, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Ysoserial_Payload_Spring1, Description: Ysoserial Payloads - file Spring1.bin, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Ysoserial_Payload, Description: Ysoserial Payloads, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Ysoserial_Payload_3, Description: Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Mimikatz_Memory_Rule_1, Description: Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Mimikatz_Memory_Rule_2, Description: Mimikatz Rule generated from a memory dump, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth - Florian Roth
                                                                                                                                                                                • Rule: Mimikatz_Logfile, Description: Detects a log file generated by malicious hack tool mimikatz, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Mimikatz_Strings, Description: Detects Mimikatz strings, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FiveEyes_QUERTY_Malwaresig_20123_cmdDef, Description: FiveEyes QUERTY Malware - file 20123_cmdDef.xml, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FiveEyes_QUERTY_Malwareqwerty_20123, Description: FiveEyes QUERTY Malware - file 20123.xml, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FiveEyes_QUERTY_Malwaresig_20120_cmdDef, Description: FiveEyes QUERTY Malware - file 20120_cmdDef.xml, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FiveEyes_QUERTY_Malwaresig_20121_cmdDef, Description: FiveEyes QUERTY Malware - file 20121_cmdDef.xml, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VUL_JQuery_FileUpload_CVE_2018_9206, Description: Detects JQuery File Upload vulnerability CVE-2018-9206, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: CACTUSTORCH, Description: Detects CactusTorch Hacktool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_FIN7_Strings_Aug18_1, Description: Detects strings from FIN7 report in August 2018, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: OPCLEAVER_CCProxy_Config, Description: CCProxy config known from Operation Cleaver, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: OpCloudHopper_Malware_5, Description: Detects malware from Operation Cloud Hopper, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: OpCloudHopper_WmiDLL_inMemory, Description: Malware related to Operation Cloud Hopper - Page 25, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBS_WMIExec_Tool_Apr17_1, Description: Tools related to Operation Cloud Hopper, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Regin_Related_Malware, Description: Malware Sample - maybe Regin related, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationDrug_HDDSSD_Op, Description: EquationDrug - HDD/SSD firmware operation - nls_933w.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth @4nc4p
                                                                                                                                                                                • Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_Invoke_Mimikatz, Description: Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Mimipenguin_SH, Description: Detects Mimipenguin Password Extractor - Linux, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_PowerKatz_Feb19_1, Description: Detetcs a tool used in the Australian Parliament House network compromise, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_Unknown_Feb19_1, Description: Detetcs a tool used in the Australian Parliament House network compromise, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: POSHSPY_Malware, Description: Detects, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Pirpi_1609_A, Description: Detects Pirpi Backdoor - and other malware (generic rule), Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Pirpi_1609_B, Description: Detects Pirpi Backdoor, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FourElementSword_Config_File, Description: Detects FourElementSword Malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FourElementSword_ElevateDLL_2, Description: Detects FourElementSword Malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Win_PrivEsc_gp3finder_v4_0, Description: Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Win_PrivEsc_folderperm, Description: Detects a tool that can be used for privilege escalation - file folderperm.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PoisonIvy_Sample_6, Description: Detects PoisonIvy RAT sample set, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: yara@s3c.za.net
                                                                                                                                                                                • Rule: Metasploit_Loader_RSMudge, Description: Detects a Metasploit Loader by RSMudge - file loader.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Armitage_OSX, Description: Detects Armitage component, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: OilRig_Malware_Campaign_Gen2, Description: Detects malware from OilRig Campaign, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_APT34_PS_Malware_Apr19_1, Description: Detects APT34 PowerShell malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_APT34_PS_Malware_Apr19_3, Description: Detects APT34 PowerShell malware, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Silence_malware_2, Description: Detects malware sample mentioned in the Silence report on Securelist, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: NTLM_Dump_Output, Description: NTML Hash Dump output file - John/LC format, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FIN7_Backdoor_Aug17, Description: Detects Word Dropper from Proofpoint FIN7 Report, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_WMIExec_Gen_1, Description: Detects Invoke-WmiExec or Invoke-SmbExec, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WMImplant, Description: Auto-generated rule - file WMImplant.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_Dsniff, Description: Detects Dsniff hack tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_Project_Sauron_arping_module, Description: Detects strings from arping module - Project Sauron report by Kaspersky, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_Project_Sauron_kblogi_module, Description: Detects strings from kblogi module - Project Sauron report by Kaspersky, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_Project_Sauron_basex_module, Description: Detects strings from basex module - Project Sauron report by Kaspersky, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_Project_Sauron_dext_module, Description: Detects strings from dext module - Project Sauron report by Kaspersky, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FVEY_ShadowBrokers_Jan17_Screen_Strings, Description: Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: GRIZZLY_STEPPE_Malware_2, Description: Auto-generated rule, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_OSiRis, Description: Osiris Device Guard Bypass - file Invoke-OSiRis.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Sofacy_Fybis_ELF_Backdoor_Gen1, Description: Detects Sofacy Fysbis Linux Backdoor, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Greenbug_Malware_4, Description: Detects ISMDoor Backdoor, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Greenbug_Malware_5, Description: Auto-generated rule, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Winnti_NlaifSvc, Description: Winnti sample - file NlaifSvc.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_Get_SecurityPackages, Description: Detects Empire component - file Get-SecurityPackages.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_Invoke_PowerDump, Description: Detects Empire component - file Invoke-PowerDump.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_Invoke_ShellcodeMSIL, Description: Detects Empire component - file Invoke-ShellcodeMSIL.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_Invoke_SmbScanner, Description: Detects Empire component - file Invoke-SmbScanner.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_Invoke_EgressCheck, Description: Detects Empire component - file Invoke-EgressCheck.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_Invoke_PostExfil, Description: Detects Empire component - file Invoke-PostExfil.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_Invoke_SMBAutoBrute, Description: Detects Empire component - file Invoke-SMBAutoBrute.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_Get_Keystrokes, Description: Detects Empire component - file Get-Keystrokes.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_Invoke_DllInjection, Description: Detects Empire component - file Invoke-DllInjection.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_KeePassConfig, Description: Detects Empire component - file KeePassConfig.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_PowerUp_Gen, Description: Detects Empire component - from files PowerUp.ps1, PowerUp.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_KeePassConfig_Gen, Description: Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_Invoke_Portscan_Gen, Description: Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_Invoke_Gen, Description: Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: TeleBots_IntercepterNG, Description: Detects TeleBots malware - IntercepterNG, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WiltedTulip_powershell, Description: Detects powershell script used in Operation Wilted Tulip, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WiltedTulip_Windows_UM_Task, Description: Detects a Windows scheduled task as used in Operation Wilted Tulip, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WiltedTulip_WindowsTask, Description: Detects hack tool used in Operation Wilted Tulip - Windows Tasks, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Impacket_Tools_Generic_1, Description: Compiled Impacket Tools, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_mimikittenz, Description: Detects Mimikittenz - file Invoke-mimikittenz.ps1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ONHAT_Proxy_Hacktool, Description: Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_elgingamble, Description: Equation Group hack tool leaked by ShadowBrokers- file elgingamble, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_cmsd, Description: Equation Group hack tool leaked by ShadowBrokers- file cmsd, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_ebbshave, Description: Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_eggbasket, Description: Equation Group hack tool leaked by ShadowBrokers- file eggbasket, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_sambal, Description: Equation Group hack tool leaked by ShadowBrokers- file sambal, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_cmsex, Description: Equation Group hack tool leaked by ShadowBrokers- file cmsex, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_DUL, Description: Equation Group hack tool leaked by ShadowBrokers- file DUL, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_slugger2, Description: Equation Group hack tool leaked by ShadowBrokers- file slugger2, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_jackpop, Description: Equation Group hack tool leaked by ShadowBrokers- file jackpop, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_epoxyresin_v1_0_0, Description: Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_estesfox, Description: Equation Group hack tool leaked by ShadowBrokers- file estesfox, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__ftshell_ftshell_v3_10_3_0, Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__scanner_scanner_v2_1_2, Description: Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__ghost_sparc_ghost_x86_3, Description: Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__jparsescan_parsescan_5, Description: Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__ftshell, Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17_Eternalromance, Description: Detects EquationGroup Tool - April Leak, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17_Gen2, Description: Detects EquationGroup Tool - April Leak, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0, Description: Detects EquationGroup Tool - April Leak, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4, Description: Detects EquationGroup Tool - April Leak, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT6_Malware_Sample_Gen, Description: Rule written for 2 malware samples that communicated to APT6 C2 servers, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_CryptoMiner, Description: Yara detected Crypto Miner, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_RevengeRAT, Description: Yara detected RevengeRAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_WebMonitor, Description: Yara detected WebMonitor RAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_ComRAT_XORKey, Description: Yara detected Turla ComRAT XORKey, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Nukesped, Description: Yara detected Nukesped, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_xtremerat_1, Description: Yara detected Xtreme RAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_PupyRAT, Description: Yara detected PupyRAT, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Mirai_6, Description: Yara detected Mirai, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: dragos_crashoverride_moduleStrings, Description: IEC-104 Interaction Module Program Strings, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Dragos Inc
                                                                                                                                                                                • Rule: fe_cpe_ms17_010_ransomware, Description: probable petya ransomware using eternalblue, wmic, psexec, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
                                                                                                                                                                                • Rule: Anthem_DeepPanda_lot1, Description: Anthem Hack Deep Panda - lot1.tmp-pwdump, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Anthem_DeepPanda_htran_exe, Description: Anthem Hack Deep Panda - htran-exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: NetWiredRC_B, Description: NetWiredRC, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Jean-Philippe Teissier / @Jipe_
                                                                                                                                                                                • Rule: Backdoor_WebShell_asp, Description: Detect ASPXSpy, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: xylitol@temari.fr
                                                                                                                                                                                • Rule: webshell_iMHaPFtp_2, Description: Web Shell - file iMHaPFtp.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_caidao_shell_guo, Description: Web Shell - file guo.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_PHP_redcod, Description: Web Shell - file redcod.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_php_sh_server, Description: Web Shell - file server.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_cihshell_fix, Description: Web Shell - file cihshell_fix.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_php_up, Description: Web Shell - file up.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_asp_EFSO_2, Description: Web Shell - file EFSO_2.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_jsp_up, Description: Web Shell - file up.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_Server_Variables, Description: Web Shell - file Server Variables.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_caidao_shell_ice_2, Description: Web Shell - file ice.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_phpspy2010, Description: Web Shell - file phpspy2010.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_asp_ice, Description: Web Shell - file ice.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_asp_404, Description: Web Shell - file 404.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshell_cnseay02_1, Description: Web Shell - file webshell-cnseay02-1.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_php_fbi, Description: Web Shell - file fbi.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_B374kPHP_B374k, Description: Web Shell - file B374k.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_php_list, Description: Web Shell - file list.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_caidao_shell_404, Description: Web Shell - file 404.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_ASP_aspydrv, Description: Web Shell - file aspydrv.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_Dx_Dx, Description: Web Shell - file Dx.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_MySQL_Web_Interface_Version_0_8, Description: Web Shell - file MySQL Web Interface Version 0.8.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_phpkit_1_0_odd, Description: Web Shell - file odd.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_wsb_idc, Description: Web Shell - file idc.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_php_404, Description: Web Shell - file 404.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshell_cnseay_x, Description: Web Shell - file webshell-cnseay-x.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_asp_up, Description: Web Shell - file up.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_phpkit_0_1a_odd, Description: Web Shell - file odd.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_jsp_k81, Description: Web Shell - file k81.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_jsp_cmdjsp, Description: Web Shell - file cmdjsp.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_Java_Shell, Description: Web Shell - file Java Shell.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_PHP_r57142, Description: Web Shell - file r57142.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_simple_backdoor, Description: Web Shell - file simple-backdoor.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_php_cmd, Description: Web Shell - file cmd.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_PHP_co, Description: Web Shell - file co.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_PHP_150, Description: Web Shell - file 150.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_PHP_c37, Description: Web Shell - file c37.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_PHP_b37, Description: Web Shell - file b37.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_PHP_bug_1_, Description: Web Shell - file bug (1).php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_ghost_source_icesword_silic, Description: Web Shell - from files ghost_source.php, icesword.php, silic.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download, Description: Web Shell - from files browser.jsp, 201.jsp, 3.jsp, 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, ma.jsp, warn.jsp, webshell-nc.jsp, download.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx, Description: Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_jsp_reverse_jsp_reverse_jspbd, Description: Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx, Description: Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_itsec_PHPJackal_itsecteam_shell_jHn, Description: Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1, Description: Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz, Description: Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend, Description: Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_000_403_807_a_c5_config_css_dm_he1p_xxx, Description: Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY, Description: Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_c99_locus7s_c99_w4cking_xxx, Description: Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_r57shell127_r57_kartal_r57, Description: Web Shell - from files r57shell127.php, r57_kartal.php, r57.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_con2, Description: Web shells - generated from file con2.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_Expdoor_com_ASP, Description: Web shells - generated from file Expdoor.com ASP.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_php2, Description: Web shells - generated from file php2.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_bypass_iisuser_p, Description: Web shells - generated from file bypass-iisuser-p.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_sig_404super, Description: Web shells - generated from file 404super.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_JSP, Description: Web shells - generated from file JSP.jsp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshell_123, Description: Web shells - generated from file webshell-123.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_dev_core, Description: Web shells - generated from file dev_core.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_pHp, Description: Web shells - generated from file pHp.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_pppp, Description: Web shells - generated from file pppp.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_code, Description: Web shells - generated from file code.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_xxxx, Description: Web shells - generated from file xxxx.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_PHP1, Description: Web shells - generated from file PHP1.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_asp1, Description: Web shells - generated from file asp1.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_php6, Description: Web shells - generated from file php6.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_GetPostpHp, Description: Web shells - generated from file GetPostpHp.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_php5, Description: Web shells - generated from file php5.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_PHP, Description: Web shells - generated from file PHP.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_Asp, Description: Web shells - generated from file Asp.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: perlbot_pl, Description: Semi-Auto-generated - file perlbot.pl.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: php_backdoor_php, Description: Semi-Auto-generated - file php-backdoor.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Casus15_php_php, Description: Semi-Auto-generated - file Casus15.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: small_php_php, Description: Semi-Auto-generated - file small.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: shellbot_pl, Description: Semi-Auto-generated - file shellbot.pl.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: fuckphpshell_php, Description: Semi-Auto-generated - file fuckphpshell.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: ngh_php_php, Description: Semi-Auto-generated - file ngh.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: jsp_reverse_jsp, Description: Semi-Auto-generated - file jsp-reverse.jsp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Tool_asp, Description: Semi-Auto-generated - file Tool.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: NT_Addy_asp, Description: Semi-Auto-generated - file NT Addy.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php, Description: Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: phvayvv_php_php, Description: Semi-Auto-generated - file phvayvv.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: rst_sql_php_php, Description: Semi-Auto-generated - file rst_sql.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: wh_bindshell_py, Description: Semi-Auto-generated - file wh_bindshell.py.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: lurm_safemod_on_cgi, Description: Semi-Auto-generated - file lurm_safemod_on.cgi.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: c99madshell_v2_0_php_php, Description: Semi-Auto-generated - file c99madshell_v2.0.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: w3d_php_php, Description: Semi-Auto-generated - file w3d.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: WinX_Shell_html, Description: Semi-Auto-generated - file WinX Shell.html.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Dx_php_php, Description: Semi-Auto-generated - file Dx.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: csh_php_php, Description: Semi-Auto-generated - file csh.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: pHpINJ_php_php, Description: Semi-Auto-generated - file pHpINJ.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: sig_2008_php_php, Description: Semi-Auto-generated - file 2008.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: ak74shell_php_php, Description: Semi-Auto-generated - file ak74shell.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Rem_View_php_php, Description: Semi-Auto-generated - file Rem View.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Java_Shell_js, Description: Semi-Auto-generated - file Java Shell.js.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: STNC_php_php, Description: Semi-Auto-generated - file STNC.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: aZRaiLPhp_v1_0_php, Description: Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: zacosmall_php, Description: Semi-Auto-generated - file zacosmall.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: CmdAsp_asp, Description: Semi-Auto-generated - file CmdAsp.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: simple_backdoor_php, Description: Semi-Auto-generated - file simple-backdoor.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: mysql_shell_php, Description: Semi-Auto-generated - file mysql_shell.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Dive_Shell_1_0___Emperor_Hacking_Team_php, Description: Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Asmodeus_v0_1_pl, Description: Semi-Auto-generated - file Asmodeus v0.1.pl.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Reader_asp, Description: Semi-Auto-generated - file Reader.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: phpshell17_php, Description: Semi-Auto-generated - file phpshell17.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: SimShell_1_0___Simorgh_Security_MGZ_php, Description: Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: jspshall_jsp, Description: Semi-Auto-generated - file jspshall.jsp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: rootshell_php, Description: Semi-Auto-generated - file rootshell.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: connectback2_pl, Description: Semi-Auto-generated - file connectback2.pl.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: shells_PHP_wso, Description: Semi-Auto-generated - file wso.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: backdoor1_php, Description: Semi-Auto-generated - file backdoor1.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: elmaliseker_asp, Description: Semi-Auto-generated - file elmaliseker.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: s72_Shell_v1_1_Coding_html, Description: Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: hidshell_php_php, Description: Semi-Auto-generated - file hidshell.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: kacak_asp, Description: Semi-Auto-generated - file kacak.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: PHP_Backdoor_Connect_pl_php, Description: Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Antichat_Socks5_Server_php_php, Description: Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Antichat_Shell_v1_3_php, Description: Semi-Auto-generated - file Antichat Shell v1.3.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php, Description: Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: cyberlords_sql_php_php, Description: Semi-Auto-generated - file cyberlords_sql.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html, Description: Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: EFSO_2_asp, Description: Semi-Auto-generated - file EFSO_2.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: lamashell_php, Description: Semi-Auto-generated - file lamashell.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Ajax_PHP_Command_Shell_php, Description: Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: JspWebshell_1_2_jsp, Description: Semi-Auto-generated - file JspWebshell 1.2.jsp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Sincap_php_php, Description: Semi-Auto-generated - file Sincap.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Phyton_Shell_py, Description: Semi-Auto-generated - file Phyton Shell.py.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: sh_php_php, Description: Semi-Auto-generated - file sh.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: phpjackal_php, Description: Semi-Auto-generated - file phpjackal.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: sql_php_php, Description: Semi-Auto-generated - file sql.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: cgi_python_py, Description: Semi-Auto-generated - file cgi-python.py.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: ru24_post_sh_php_php, Description: Semi-Auto-generated - file ru24_post_sh.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: telnetd_pl, Description: Semi-Auto-generated - file telnetd.pl.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: php_include_w_shell_php, Description: Semi-Auto-generated - file php-include-w-shell.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: shell_php_php, Description: Semi-Auto-generated - file shell.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: telnet_cgi, Description: Semi-Auto-generated - file telnet.cgi.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: ironshell_php, Description: Semi-Auto-generated - file ironshell.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: backdoorfr_php, Description: Semi-Auto-generated - file backdoorfr.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: aspydrv_asp, Description: Semi-Auto-generated - file aspydrv.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: cmdjsp_jsp, Description: Semi-Auto-generated - file cmdjsp.jsp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: h4ntu_shell__powered_by_tsoi_, Description: Semi-Auto-generated - file h4ntu shell [powered by tsoi, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Ajan_asp, Description: Semi-Auto-generated - file Ajan.asp.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: PHANTASMA_php, Description: Semi-Auto-generated - file PHANTASMA.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: MySQL_Web_Interface_Version_0_8_php, Description: Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0002, Description: Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0003, Description: Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0005, Description: Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0010, Description: Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0013, Description: Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0015, Description: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0016, Description: Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_php_webshells, Description: Semi-Auto-generated - from files multiple_php_webshells, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0019, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0022, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0027, Description: Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0030, Description: Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0031, Description: Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0032, Description: Semi-Auto-generated - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: PHP_Cloaked_Webshell_SuperFetchExec, Description: Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_dC3_Security_Crew_Shell_PRiV, Description: PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_b374k_mini_shell_php_php, Description: PHP Webshells Github Archive - file b374k-mini-shell-php.php.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_Sincap_1_0, Description: PHP Webshells Github Archive - file Sincap 1.0.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_b374k_php, Description: PHP Webshells Github Archive - file b374k.php.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_h4ntu_shell__powered_by_tsoi_, Description: PHP Webshells Github Archive - file h4ntu shell [powered by tsoi, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: WebShell_php_webshells_MyShell, Description: PHP Webshells Github Archive - file MyShell.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_php_webshells_pHpINJ, Description: PHP Webshells Github Archive - file pHpINJ.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_ru24_post_sh, Description: PHP Webshells Github Archive - file ru24_post_sh.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_hiddens_shell_v1, Description: PHP Webshells Github Archive - file hiddens shell v1.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_c99_locus7s, Description: PHP Webshells Github Archive - file c99_locus7s.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_cgitelnet, Description: PHP Webshells Github Archive - file cgitelnet.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_lamashell, Description: PHP Webshells Github Archive - file lamashell.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_Simple_PHP_backdoor_by_DK, Description: PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_php_webshells_README, Description: PHP Webshells Github Archive - file README.md, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_AK_74_Security_Team_Web_Shell_Beta_Version, Description: PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_Gamma_Web_Shell, Description: PHP Webshells Github Archive - file Gamma Web Shell.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_php_include_w_shell, Description: PHP Webshells Github Archive - file php-include-w-shell.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_PhpSpy_Ver_2006, Description: PHP Webshells Github Archive - file PhpSpy Ver 2006.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_php_webshells_myshell, Description: PHP Webshells Github Archive - file myshell.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_php_webshells_lolipop, Description: PHP Webshells Github Archive - file lolipop.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_simple_cmd, Description: PHP Webshells Github Archive - file simple_cmd.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_aZRaiLPhp_v1_0, Description: PHP Webshells Github Archive - file aZRaiLPhp v1.0.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall, Description: PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell__findsock_php_findsock_shell_php_reverse_shell, Description: PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_Generic_PHP_6, Description: PHP Webshells Github Archive - from files c0derz shell [csh, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Unpack_Injectt, Description: Webshells Auto-generated - file Injectt.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: FeliksPack3___PHP_Shells_ssh, Description: Webshells Auto-generated - file ssh.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: ZXshell2_0_rar_Folder_ZXshell, Description: Webshells Auto-generated - file ZXshell.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: thelast_orice2, Description: Webshells Auto-generated - file orice2.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: FSO_s_zehir4, Description: Webshells Auto-generated - file zehir4.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: DarkSpy105, Description: Webshells Auto-generated - file DarkSpy105.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: FSO_s_reader, Description: Webshells Auto-generated - file reader.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: HYTop_DevPack_server, Description: Webshells Auto-generated - file server.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: vanquish, Description: Webshells Auto-generated - file vanquish.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Simple_PHP_BackDooR, Description: Webshells Auto-generated - file Simple_PHP_BackDooR.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: hkshell_hkrmv, Description: Webshells Auto-generated - file hkrmv.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: FeliksPack3___PHP_Shells_phpft, Description: Webshells Auto-generated - file phpft.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: bdcli100, Description: Webshells Auto-generated - file bdcli100.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: rdrbs084, Description: Webshells Auto-generated - file rdrbs084.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: HYTop_CaseSwitch_2005, Description: Webshells Auto-generated - file 2005.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: FSO_s_casus15_2, Description: Webshells Auto-generated - file casus15.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: installer, Description: Webshells Auto-generated - file installer.cmd, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: elmaliseker, Description: Webshells Auto-generated - file elmaliseker.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: shelltools_g0t_root_Fport, Description: Webshells Auto-generated - file Fport.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: HYTop_DevPack_upload, Description: Webshells Auto-generated - file upload.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: PasswordReminder, Description: Webshells Auto-generated - file PasswordReminder.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: dbgntboot, Description: Webshells Auto-generated - file dbgntboot.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: PHP_shell, Description: Webshells Auto-generated - file shell.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: rdrbs100, Description: Webshells Auto-generated - file rdrbs100.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Mithril_Mithril, Description: Webshells Auto-generated - file Mithril.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: hkdoordll, Description: Webshells Auto-generated - file hkdoordll.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Mithril_v1_45_dllTest, Description: Webshells Auto-generated - file dllTest.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: dbgiis6cli, Description: Webshells Auto-generated - file dbgiis6cli.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Debug_cress, Description: Webshells Auto-generated - file cress.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: FeliksPack3___PHP_Shells_usr, Description: Webshells Auto-generated - file usr.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: FSO_s_phpinj, Description: Webshells Auto-generated - file phpinj.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: xssshell_db, Description: Webshells Auto-generated - file db.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: EditServer_Webshell_2, Description: Webshells Auto-generated - file EditServer.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: by064cli, Description: Webshells Auto-generated - file by064cli.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Mithril_dllTest, Description: Webshells Auto-generated - file dllTest.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: connector, Description: Webshells Auto-generated - file connector.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: shelltools_g0t_root_HideRun, Description: Webshells Auto-generated - file HideRun.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: PHP_Shell_v1_7, Description: Webshells Auto-generated - file PHP_Shell_v1.7.php, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: xssshell_save, Description: Webshells Auto-generated - file save.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: ZXshell2_0_rar_Folder_zxrecv, Description: Webshells Auto-generated - file zxrecv.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: _root_040_zip_Folder_deploy, Description: Webshells Auto-generated - file deploy.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: by063cli, Description: Webshells Auto-generated - file by063cli.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: icyfox007v1_10_rar_Folder_asp, Description: Webshells Auto-generated - file asp.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: byshell063_ntboot_2, Description: Webshells Auto-generated - file ntboot.dll, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: vanquish_2, Description: Webshells Auto-generated - file vanquish.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: BIN_Server, Description: Webshells Auto-generated - file Server.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: HYTop2006_rar_Folder_2006, Description: Webshells Auto-generated - file 2006.asp, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: HDConfig, Description: Webshells Auto-generated - file HDConfig.exe, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Yara Bulk Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Webshell_and_Exploit_CN_APT_HK, Description: Webshell and Exploit Code in relation with APT against Honk Kong protesters, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Pastebin_Webshell, Description: Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: netwire, Description: detect netwire in memory, Source: 00000003.00000003.270488025.00000000063E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                Reputation:low

                                                                                                                                                                                General

                                                                                                                                                                                Start time:13:46:19
                                                                                                                                                                                Start date:02/04/2021
                                                                                                                                                                                Path:C:\Users\user\Desktop\vnwareupdate.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1092'
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:10752 bytes
                                                                                                                                                                                MD5 hash:FA8AFFACE280644885152DE7CD3234EE
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:low

                                                                                                                                                                                General

                                                                                                                                                                                Start time:13:46:29
                                                                                                                                                                                Start date:02/04/2021
                                                                                                                                                                                Path:C:\Users\user\Desktop\vnwareupdate.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1136'
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:10752 bytes
                                                                                                                                                                                MD5 hash:FA8AFFACE280644885152DE7CD3234EE
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:low

                                                                                                                                                                                General

                                                                                                                                                                                Start time:13:46:30
                                                                                                                                                                                Start date:02/04/2021
                                                                                                                                                                                Path:C:\Users\user\Desktop\vnwareupdate.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1244'
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:10752 bytes
                                                                                                                                                                                MD5 hash:FA8AFFACE280644885152DE7CD3234EE
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:low

                                                                                                                                                                                General

                                                                                                                                                                                Start time:13:46:31
                                                                                                                                                                                Start date:02/04/2021
                                                                                                                                                                                Path:C:\Users\user\Desktop\vnwareupdate.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1236'
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:10752 bytes
                                                                                                                                                                                MD5 hash:FA8AFFACE280644885152DE7CD3234EE
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 0000000A.00000003.323793714.00000000050C1000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 0000000A.00000003.321850832.00000000068D1000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 0000000A.00000003.316101546.000000000684D000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 0000000A.00000003.312404128.0000000006667000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.323779225.0000000006626000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.324847009.0000000006648000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_Lazagne_Gen_18, Description: Detects Lazagne password extractor hacktool, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_NoPowerShell, Description: Detects NoPowerShell hack tool, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_LNX_Pnscan, Description: Detects Pnscan port scanner, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: SUSP_Script_Obfuscation_Char_Concat, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: SUSP_Netsh_PortProxy_Command, Description: Detects a suspicious command line with netsh and the portproxy command, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VUL_JQuery_FileUpload_CVE_2018_9206, Description: Detects JQuery File Upload vulnerability CVE-2018-9206, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_FIN7_Strings_Aug18_1, Description: Detects strings from FIN7 report in August 2018, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_FIN7_MalDoc_Aug18_1, Description: Detects malicious Doc from FIN7 campaign, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_PowerKatz_Feb19_1, Description: Detetcs a tool used in the Australian Parliament House network compromise, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_Unknown_Feb19_1, Description: Detetcs a tool used in the Australian Parliament House network compromise, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_APT34_PS_Malware_Apr19_1, Description: Detects APT34 PowerShell malware, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_APT34_PS_Malware_Apr19_2, Description: Detects APT34 PowerShell malware, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_APT34_PS_Malware_Apr19_3, Description: Detects APT34 PowerShell malware, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PUA_CryptoMiner_Jan19_1, Description: Detects Crypto Miner strings, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_Dsniff, Description: Detects Dsniff hack tool, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1, Description: Detects HOPLIGHT malware used by HiddenCobra APT group, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: JoeSecurity_CryptoMiner, Description: Yara detected Crypto Miner, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Mirai_6, Description: Yara detected Mirai, Source: 0000000A.00000003.305047164.0000000003324000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.316213218.0000000006859000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 0000000A.00000003.323605826.0000000006667000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.324801435.0000000006627000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.318816470.000000000688B000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 0000000A.00000003.308810849.00000000050AA000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 0000000A.00000003.310723677.00000000050AA000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.325411258.0000000006626000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf, Description: Metasploit Payloads - file msf.sh, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_2, Description: Metasploit Payloads - file msf.asp, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_psh, Description: Metasploit Payloads - file msf-psh.vba, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_exe, Description: Metasploit Payloads - file msf-exe.vba, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_3, Description: Metasploit Payloads - file msf.psh, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_4, Description: Metasploit Payloads - file msf.aspx, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_exe_2, Description: Metasploit Payloads - file msf-exe.aspx, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_6, Description: Metasploit Payloads - file msf.vbs, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_7, Description: Metasploit Payloads - file msf.vba, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_8, Description: Metasploit Payloads - file msf.ps1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_cmd, Description: Metasploit Payloads - file msf-cmd.ps1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_11, Description: Metasploit Payloads - file msf.hta, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_Meterpreter_inMemory, Description: Detects Meterpreter in-memory, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: netbiosX, Florian Roth
                                                                                                                                                                                • Rule: CVE_2017_8759_SOAP_Excel, Description: Detects malicious files related to CVE-2017-8759, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PowerShell_ISESteroids_Obfuscation, Description: Detects PowerShell ISESteroids obfuscation, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Reflective_DLL_Loader_Aug17_1, Description: Detects Reflective DLL Loader, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Reflective_DLL_Loader_Aug17_2, Description: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Reflective_DLL_Loader_Aug17_3, Description: Detects Reflective DLL Loader, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBScript_Favicon_File, Description: VBScript cloaked as Favicon file used in Leviathan incident, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Backdoor_Redosdru_Jun17, Description: Detects malware Redosdru - file systemHome.exe, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Backdoor_Nitol_Jun17, Description: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WScript_Shell_PowerShell_Combo, Description: Detects malware from Middle Eastern campaign reported by Talos, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HTA_with_WScript_Shell, Description: Detects WScript Shell in HTA, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HTA_Embedded, Description: Detects an embedded HTA file, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: StoneDrill, Description: Detects malware from StoneDrill threat report, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: StoneDrill_VBS_1, Description: Detects malware from StoneDrill threat report, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ZxShell_Jul17, Description: Detects a ZxShell - CN threat group, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EternalRocks_taskhost, Description: Detects EternalRocks Malware - file taskhost.exe, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: BeyondExec_RemoteAccess_Tool, Description: Detects BeyondExec Remote Access Tool - file rexesvr.exe, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Disclosed_0day_POCs_injector, Description: Detects POC code from disclosed 0day hacktool set, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_PupyRAT_PY, Description: Detects Pupy RAT, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: OilRig_Strings_Oct17, Description: Detects strings from OilRig malware and malicious scripts, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Suspicious_Script_Running_from_HTTP, Description: Detects a suspicious , Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBS_dropper_script_Dec17_1, Description: Detects a supicious VBS script that drops an executable, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Industroyer_Malware_1, Description: Detects Industroyer related malware, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Industroyer_Portscan_3_Output, Description: Detects Industroyer related custom port scaner output file, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Industroyer_Malware_4, Description: Detects Industroyer related malware, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Industroyer_Malware_5, Description: Detects Industroyer related malware, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: redSails_PY, Description: Detects Red Sails Hacktool - Python, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Rehashed_RAT_2, Description: Detects malware from Rehashed RAT incident, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Microcin_Sample_5, Description: Malware sample mentioned in Microcin technical report by Kaspersky, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: clearlog, Description: Detects Fireball malware - file clearlog.dll, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PS_AMSI_Bypass, Description: Detects PowerShell AMSI Bypass, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: JS_Suspicious_Obfuscation_Dropbox, Description: Detects PowerShell AMSI Bypass, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: JS_Suspicious_MSHTA_Bypass, Description: Detects MSHTA Bypass, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: JavaScript_Run_Suspicious, Description: Detects a suspicious Javascript Run command, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Ysoserial_Payload_Spring1, Description: Ysoserial Payloads - file Spring1.bin, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Ysoserial_Payload, Description: Ysoserial Payloads, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Ysoserial_Payload_3, Description: Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: CACTUSTORCH, Description: Detects CactusTorch Hacktool, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: OpCloudHopper_Malware_2, Description: Detects malware from Operation Cloud Hopper, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: OpCloudHopper_Malware_3, Description: Detects malware from Operation Cloud Hopper, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: OpCloudHopper_Malware_5, Description: Detects malware from Operation Cloud Hopper, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: OpCloudHopper_WmiDLL_inMemory, Description: Malware related to Operation Cloud Hopper - Page 25, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBS_WMIExec_Tool_Apr17_1, Description: Tools related to Operation Cloud Hopper, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Mimipenguin_SH, Description: Detects Mimipenguin Password Extractor - Linux, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: POSHSPY_Malware, Description: Detects, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FIN7_Backdoor_Aug17, Description: Detects Word Dropper from Proofpoint FIN7 Report, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PUA_CryptoMiner_Jan19_1, Description: Detects Crypto Miner strings, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_SMBExec, Description: Detects Invoke-WmiExec or Invoke-SmbExec, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_WMIExec_Gen_1, Description: Detects Invoke-WmiExec or Invoke-SmbExec, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_SMBExec_Invoke_WMIExec_1, Description: Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_WMIExec_Gen, Description: Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WMImplant, Description: Auto-generated rule - file WMImplant.ps1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FVEY_ShadowBrokers_Jan17_Screen_Strings, Description: Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_OSiRis, Description: Osiris Device Guard Bypass - file Invoke-OSiRis.ps1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: MAL_KHRAT_script, Description: Rule derived from KHRAT script but can match on other malicious scripts as well, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WiltedTulip_powershell, Description: Detects powershell script used in Operation Wilted Tulip, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WiltedTulip_Windows_UM_Task, Description: Detects a Windows scheduled task as used in Operation Wilted Tulip, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WiltedTulip_WindowsTask, Description: Detects hack tool used in Operation Wilted Tulip - Windows Tasks, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Impacket_Tools_Generic_1, Description: Compiled Impacket Tools, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Auditcleaner, Description: Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_elgingamble, Description: Equation Group hack tool leaked by ShadowBrokers- file elgingamble, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_cmsd, Description: Equation Group hack tool leaked by ShadowBrokers- file cmsd, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_ebbshave, Description: Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_eggbasket, Description: Equation Group hack tool leaked by ShadowBrokers- file eggbasket, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_sambal, Description: Equation Group hack tool leaked by ShadowBrokers- file sambal, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_envisioncollision, Description: Equation Group hack tool leaked by ShadowBrokers- file envisioncollision, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_cmsex, Description: Equation Group hack tool leaked by ShadowBrokers- file cmsex, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_DUL, Description: Equation Group hack tool leaked by ShadowBrokers- file DUL, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_slugger2, Description: Equation Group hack tool leaked by ShadowBrokers- file slugger2, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_jackpop, Description: Equation Group hack tool leaked by ShadowBrokers- file jackpop, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_epoxyresin_v1_0_0, Description: Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_estesfox, Description: Equation Group hack tool leaked by ShadowBrokers- file estesfox, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_elatedmonkey_1_0_1_1, Description: Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__ftshell_ftshell_v3_10_3_0, Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__scanner_scanner_v2_1_2, Description: Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__ghost_sparc_ghost_x86_3, Description: Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__jparsescan_parsescan_5, Description: Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__funnelout_v4_1_0_1, Description: Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__magicjack_v1_1_0_0_client, Description: Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__ftshell, Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_noclient_3_3_2, Description: Equation Group hack tool set, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17_Eternalromance, Description: Detects EquationGroup Tool - April Leak, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17_Gen2, Description: Detects EquationGroup Tool - April Leak, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17_ntevt, Description: Detects EquationGroup Tool - April Leak, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld, Description: Detects EquationGroup Tool - April Leak, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0, Description: Detects EquationGroup Tool - April Leak, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4, Description: Detects EquationGroup Tool - April Leak, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_scanner_output, Description: Detects output generated by EQGRP scanner.exe, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_xtremerat_1, Description: Yara detected Xtreme RAT, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_PupyRAT, Description: Yara detected PupyRAT, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: dragos_crashoverride_moduleStrings, Description: IEC-104 Interaction Module Program Strings, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Dragos Inc
                                                                                                                                                                                • Rule: Obfuscated_VBS_April17, Description: Detects cloaked Mimikatz in VBS obfuscation, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Obfuscated_JS_April17, Description: Detects cloaked Mimikatz in JS obfuscation, Source: 0000000A.00000003.305199649.00000000050F1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 0000000A.00000003.324570617.0000000006668000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 0000000A.00000003.323986177.0000000002E7D000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_PHP1, Description: Web shells - generated from file PHP1.php, Source: 0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: h4ntu_shell__powered_by_tsoi_, Description: Semi-Auto-generated - file h4ntu shell [powered by tsoi, Source: 0000000A.00000003.323415245.0000000006628000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.313108656.0000000006641000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000002.552309239.00000000036C7000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 0000000A.00000003.310922017.00000000050BA000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Empire_Invoke_Shellcode, Description: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, Source: 0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 0000000A.00000003.325437911.0000000006654000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: webshell_jsp_cmdjsp, Description: Web Shell - file cmdjsp.jsp, Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_sig_404super, Description: Web shells - generated from file 404super.php, Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_Asp, Description: Web shells - generated from file Asp.asp, Source: 0000000A.00000003.322843197.000000000684B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Volgmer_Malware, Description: Detects Volgmer malware as reported in US CERT TA17-318B, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ProcessInjector_Gen, Description: Detects a process injection utility that can be used ofr good and bad purposes, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Lazagne_PW_Dumper, Description: Detects Lazagne PW Dumper, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Markus Neis / Florian Roth
                                                                                                                                                                                • Rule: SUSP_shellpop_Bash, Description: Detects susupicious bash command, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Tobias Michalski
                                                                                                                                                                                • Rule: GoldDragon_Aux_File, Description: Detects export from Gold Dragon - February 2018, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBS_dropper_script_Dec17_1, Description: Detects a supicious VBS script that drops an executable, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Lazarus_Dec_17_5, Description: Detects Lazarus malware from incident in Dec 2017, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_Turla_Agent_BTZ_Gen_1, Description: Detects Turla Agent.BTZ, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Suspicious_BAT_Strings, Description: Detects a string also used in Netwire RAT auxilliary, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Turla_Mal_Script_Jan18_1, Description: Detects Turla malicious script, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBS_Obfuscated_Mal_Feb18_1, Description: Detects malicious obfuscated VBS observed in February 2018, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: LokiBot_Dropper_ScanCopyPDF_Feb18, Description: Auto-generated rule - file Scan Copy.pdf.com, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Armitage_msfconsole, Description: Detects Armitage component, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Armitage_OSX, Description: Detects Armitage component, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Silence_malware_2, Description: Detects malware sample mentioned in the Silence report on Securelist, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: malware_apt15_royaldll, Description: DLL implant, originally rights.dll and runs as a service, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: David Cannings
                                                                                                                                                                                • Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_WebMonitor, Description: Yara detected WebMonitor RAT, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_MiniRAT, Description: Yara detected Mini RAT, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_ComRAT_XORKey, Description: Yara detected Turla ComRAT XORKey, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: netwire, Description: detect netwire in memory, Source: 0000000A.00000003.304068846.0000000005000000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                • Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 0000000A.00000003.312268650.0000000006667000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Empire_Invoke_Shellcode, Description: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, Source: 0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 0000000A.00000003.324870228.0000000006654000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.324781029.00000000068E9000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 0000000A.00000003.325135478.0000000006854000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.324504797.0000000006892000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.325168966.0000000006892000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.312103557.0000000006629000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 0000000A.00000002.536292107.0000000002E75000.00000004.00000040.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Empire_Invoke_Shellcode, Description: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, Source: 0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 0000000A.00000003.312201086.0000000006654000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: webshell_jsp_cmdjsp, Description: Web Shell - file cmdjsp.jsp, Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_sig_404super, Description: Web shells - generated from file 404super.php, Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_Asp, Description: Web shells - generated from file Asp.asp, Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 0000000A.00000003.315807326.000000000684B000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 0000000A.00000003.308279629.00000000050AA000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_PHP1, Description: Web shells - generated from file PHP1.php, Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: h4ntu_shell__powered_by_tsoi_, Description: Semi-Auto-generated - file h4ntu shell [powered by tsoi, Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.304349540.00000000065DE000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.316499473.0000000006860000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000002.523349455.00000000022DB000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 0000000A.00000002.523349455.00000000022DB000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 0000000A.00000003.322872020.0000000006854000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 0000000A.00000003.323493568.00000000068EC000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat, Description: Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php, Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 0000000A.00000003.322972936.00000000050C1000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Empire_Invoke_Shellcode, Description: Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1, Source: 0000000A.00000003.312897828.0000000006654000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 0000000A.00000003.312897828.0000000006654000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 0000000A.00000003.325067585.0000000002E7E000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Volgmer_Malware, Description: Detects Volgmer malware as reported in US CERT TA17-318B, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ProcessInjector_Gen, Description: Detects a process injection utility that can be used ofr good and bad purposes, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Lazagne_PW_Dumper, Description: Detects Lazagne PW Dumper, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Markus Neis / Florian Roth
                                                                                                                                                                                • Rule: SUSP_shellpop_Bash, Description: Detects susupicious bash command, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Tobias Michalski
                                                                                                                                                                                • Rule: GoldDragon_Aux_File, Description: Detects export from Gold Dragon - February 2018, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBS_dropper_script_Dec17_1, Description: Detects a supicious VBS script that drops an executable, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Lazarus_Dec_17_5, Description: Detects Lazarus malware from incident in Dec 2017, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_Turla_Agent_BTZ_Gen_1, Description: Detects Turla Agent.BTZ, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Suspicious_BAT_Strings, Description: Detects a string also used in Netwire RAT auxilliary, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Turla_Mal_Script_Jan18_1, Description: Detects Turla malicious script, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBS_Obfuscated_Mal_Feb18_1, Description: Detects malicious obfuscated VBS observed in February 2018, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: LokiBot_Dropper_ScanCopyPDF_Feb18, Description: Auto-generated rule - file Scan Copy.pdf.com, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Armitage_msfconsole, Description: Detects Armitage component, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Armitage_OSX, Description: Detects Armitage component, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Silence_malware_2, Description: Detects malware sample mentioned in the Silence report on Securelist, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: malware_apt15_royaldll, Description: DLL implant, originally rights.dll and runs as a service, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: David Cannings
                                                                                                                                                                                • Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_WebMonitor, Description: Yara detected WebMonitor RAT, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_MiniRAT, Description: Yara detected Mini RAT, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_ComRAT_XORKey, Description: Yara detected Turla ComRAT XORKey, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: netwire, Description: detect netwire in memory, Source: 0000000A.00000003.305422889.0000000005007000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.318347743.00000000068C2000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 0000000A.00000003.318347743.00000000068C2000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 0000000A.00000003.318347743.00000000068C2000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 0000000A.00000003.316560246.00000000068A5000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 0000000A.00000003.316560246.00000000068A5000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 0000000A.00000003.316560246.00000000068A5000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_webshells_new_PHP1, Description: Web shells - generated from file PHP1.php, Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: h4ntu_shell__powered_by_tsoi_, Description: Semi-Auto-generated - file h4ntu shell [powered by tsoi, Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit, Description: PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php, Source: 0000000A.00000003.313078570.000000000661F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 0000000A.00000003.308116996.0000000002E7C000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                Reputation:low

                                                                                                                                                                                General

                                                                                                                                                                                Start time:13:46:45
                                                                                                                                                                                Start date:02/04/2021
                                                                                                                                                                                Path:C:\Users\user\Desktop\vnwareupdate.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1256'
                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                File size:10752 bytes
                                                                                                                                                                                MD5 hash:FA8AFFACE280644885152DE7CD3234EE
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000013.00000003.473985141.0000000006BA5000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000013.00000003.428708026.0000000006BA5000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_PHP_b37, Description: Web Shell - file b37.php, Source: 00000013.00000003.436058475.0000000006B94000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: multiple_webshells_0015, Description: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, Source: 00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Webshell_27_9_acid_c99_locus7s, Description: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, Source: 00000013.00000003.445137935.0000000006BFE000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000013.00000003.416791801.00000000051F5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                                                                                                • Rule: webshell_php_h6ss, Description: Web Shell - file h6ss.php, Source: 00000013.00000003.464557374.0000000006D87000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_Lazagne_Gen_18, Description: Detects Lazagne password extractor hacktool, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_NoPowerShell, Description: Detects NoPowerShell hack tool, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_LNX_Pnscan, Description: Detects Pnscan port scanner, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: SUSP_Script_Obfuscation_Char_Concat, Description: Detects strings found in sample from CN group repo leak in October 2018, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: SUSP_Netsh_PortProxy_Command, Description: Detects a suspicious command line with netsh and the portproxy command, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VUL_JQuery_FileUpload_CVE_2018_9206, Description: Detects JQuery File Upload vulnerability CVE-2018-9206, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_FIN7_Strings_Aug18_1, Description: Detects strings from FIN7 report in August 2018, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_FIN7_MalDoc_Aug18_1, Description: Detects malicious Doc from FIN7 campaign, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_PowerKatz_Feb19_1, Description: Detetcs a tool used in the Australian Parliament House network compromise, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_Unknown_Feb19_1, Description: Detetcs a tool used in the Australian Parliament House network compromise, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_APT34_PS_Malware_Apr19_1, Description: Detects APT34 PowerShell malware, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_APT34_PS_Malware_Apr19_2, Description: Detects APT34 PowerShell malware, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_APT34_PS_Malware_Apr19_3, Description: Detects APT34 PowerShell malware, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PUA_CryptoMiner_Jan19_1, Description: Detects Crypto Miner strings, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_Dsniff, Description: Detects Dsniff hack tool, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_1, Description: Detects HOPLIGHT malware used by HiddenCobra APT group, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: JoeSecurity_CryptoMiner, Description: Yara detected Crypto Miner, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Mirai_6, Description: Yara detected Mirai, Source: 00000013.00000003.416430149.0000000000884000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 00000013.00000003.461202031.0000000006E05000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 00000013.00000003.433232225.00000000052E4000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 00000013.00000003.413817784.00000000052A4000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 00000013.00000003.460017323.0000000006DFE000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000013.00000003.481677976.0000000006BA6000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 00000013.00000003.456923467.0000000006DC6000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                                                                                                • Rule: webshell_php_h6ss, Description: Web Shell - file h6ss.php, Source: 00000013.00000003.454771924.0000000006D6F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Fierce2, Description: This signature detects the Fierce2 domain scanner, Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx, Description: Web Shell - from files Shell [ci, Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 00000013.00000003.423368197.00000000051EC000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 00000013.00000003.458084749.0000000006D9C000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0015, Description: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, Source: 00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Webshell_27_9_acid_c99_locus7s, Description: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, Source: 00000013.00000003.438854953.0000000006BFE000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: multiple_webshells_0015, Description: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, Source: 00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Webshell_27_9_acid_c99_locus7s, Description: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, Source: 00000013.00000003.443343261.0000000006BFE000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000002.524614024.000000000242B000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 00000013.00000002.524614024.000000000242B000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: webshell_PHP_b37, Description: Web Shell - file b37.php, Source: 00000013.00000003.470647242.0000000006B9B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_PHP_b37, Description: Web Shell - file b37.php, Source: 00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 00000013.00000003.428675269.0000000006B79000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0015, Description: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, Source: 00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Webshell_27_9_acid_c99_locus7s, Description: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, Source: 00000013.00000003.485624536.0000000006BFE000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PortRacer, Description: Auto-generated rule on file PortRacer.exe, Source: 00000013.00000003.458213135.0000000006DE1000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Fierce2, Description: This signature detects the Fierce2 domain scanner, Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx, Description: Web Shell - from files Shell [ci, Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 00000013.00000003.422640827.00000000051E4000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: multiple_webshells_0015, Description: Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt, Source: 00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Webshell_27_9_acid_c99_locus7s, Description: Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt, Source: 00000013.00000003.441709320.0000000006BFE000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.481501193.0000000006DCE000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: webshell_PHP_b37, Description: Web Shell - file b37.php, Source: 00000013.00000003.473662008.0000000006B9B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 00000013.00000003.481442342.0000000006D9C000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 00000013.00000003.463235186.0000000006E38000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000013.00000003.470663077.0000000006BA5000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Fierce2, Description: This signature detects the Fierce2 domain scanner, Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx, Description: Web Shell - from files Shell [ci, Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 00000013.00000003.477379778.00000000051F3000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000002.541755283.0000000002FA0000.00000004.00000040.sdmp, Author: unknown
                                                                                                                                                                                • Rule: webshell_php_gzinflated, Description: PHP webshell which directly eval()s obfuscated string, Source: 00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                                                                                                                • Rule: webshell_php_h6ss, Description: Web Shell - file h6ss.php, Source: 00000013.00000003.455300807.0000000006D6F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 00000013.00000003.477128932.00000000052EB000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Volgmer_Malware, Description: Detects Volgmer malware as reported in US CERT TA17-318B, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ProcessInjector_Gen, Description: Detects a process injection utility that can be used ofr good and bad purposes, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Lazagne_PW_Dumper, Description: Detects Lazagne PW Dumper, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Markus Neis / Florian Roth
                                                                                                                                                                                • Rule: SUSP_shellpop_Bash, Description: Detects susupicious bash command, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Tobias Michalski
                                                                                                                                                                                • Rule: GoldDragon_Aux_File, Description: Detects export from Gold Dragon - February 2018, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBS_dropper_script_Dec17_1, Description: Detects a supicious VBS script that drops an executable, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Lazarus_Dec_17_5, Description: Detects Lazarus malware from incident in Dec 2017, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_Turla_Agent_BTZ_Gen_1, Description: Detects Turla Agent.BTZ, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Suspicious_BAT_Strings, Description: Detects a string also used in Netwire RAT auxilliary, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Turla_Mal_Script_Jan18_1, Description: Detects Turla malicious script, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBS_Obfuscated_Mal_Feb18_1, Description: Detects malicious obfuscated VBS observed in February 2018, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: LokiBot_Dropper_ScanCopyPDF_Feb18, Description: Auto-generated rule - file Scan Copy.pdf.com, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Armitage_msfconsole, Description: Detects Armitage component, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Armitage_OSX, Description: Detects Armitage component, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Silence_malware_2, Description: Detects malware sample mentioned in the Silence report on Securelist, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: malware_apt15_royaldll, Description: DLL implant, originally rights.dll and runs as a service, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: David Cannings
                                                                                                                                                                                • Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_WebMonitor, Description: Yara detected WebMonitor RAT, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_MiniRAT, Description: Yara detected Mini RAT, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_ComRAT_XORKey, Description: Yara detected Turla ComRAT XORKey, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: netwire, Description: detect netwire in memory, Source: 00000013.00000003.416659119.0000000005137000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                • Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 00000013.00000003.470556930.0000000006B92000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: Msfpayloads_msf, Description: Metasploit Payloads - file msf.sh, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_2, Description: Metasploit Payloads - file msf.asp, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_psh, Description: Metasploit Payloads - file msf-psh.vba, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_exe, Description: Metasploit Payloads - file msf-exe.vba, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_3, Description: Metasploit Payloads - file msf.psh, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_4, Description: Metasploit Payloads - file msf.aspx, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_exe_2, Description: Metasploit Payloads - file msf-exe.aspx, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_6, Description: Metasploit Payloads - file msf.vbs, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_7, Description: Metasploit Payloads - file msf.vba, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_8, Description: Metasploit Payloads - file msf.ps1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_cmd, Description: Metasploit Payloads - file msf-cmd.ps1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_11, Description: Metasploit Payloads - file msf.hta, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Msfpayloads_msf_ref, Description: Metasploit Payloads - file msf-ref.ps1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HKTL_Meterpreter_inMemory, Description: Detects Meterpreter in-memory, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: netbiosX, Florian Roth
                                                                                                                                                                                • Rule: CVE_2017_8759_SOAP_Excel, Description: Detects malicious files related to CVE-2017-8759, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PowerShell_ISESteroids_Obfuscation, Description: Detects PowerShell ISESteroids obfuscation, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Reflective_DLL_Loader_Aug17_1, Description: Detects Reflective DLL Loader, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Reflective_DLL_Loader_Aug17_2, Description: Detects Reflective DLL Loader - suspicious - Possible FP could be program crack, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Reflective_DLL_Loader_Aug17_3, Description: Detects Reflective DLL Loader, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBScript_Favicon_File, Description: VBScript cloaked as Favicon file used in Leviathan incident, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Backdoor_Redosdru_Jun17, Description: Detects malware Redosdru - file systemHome.exe, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Backdoor_Nitol_Jun17, Description: Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WScript_Shell_PowerShell_Combo, Description: Detects malware from Middle Eastern campaign reported by Talos, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HTA_with_WScript_Shell, Description: Detects WScript Shell in HTA, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: HTA_Embedded, Description: Detects an embedded HTA file, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: StoneDrill, Description: Detects malware from StoneDrill threat report, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: StoneDrill_VBS_1, Description: Detects malware from StoneDrill threat report, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ZxShell_Jul17, Description: Detects a ZxShell - CN threat group, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EternalRocks_taskhost, Description: Detects EternalRocks Malware - file taskhost.exe, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: BeyondExec_RemoteAccess_Tool, Description: Detects BeyondExec Remote Access Tool - file rexesvr.exe, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Disclosed_0day_POCs_injector, Description: Detects POC code from disclosed 0day hacktool set, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_PupyRAT_PY, Description: Detects Pupy RAT, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: OilRig_Strings_Oct17, Description: Detects strings from OilRig malware and malicious scripts, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Suspicious_Script_Running_from_HTTP, Description: Detects a suspicious , Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBS_dropper_script_Dec17_1, Description: Detects a supicious VBS script that drops an executable, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Industroyer_Malware_1, Description: Detects Industroyer related malware, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Industroyer_Portscan_3_Output, Description: Detects Industroyer related custom port scaner output file, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Industroyer_Malware_4, Description: Detects Industroyer related malware, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Industroyer_Malware_5, Description: Detects Industroyer related malware, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: redSails_PY, Description: Detects Red Sails Hacktool - Python, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Rehashed_RAT_2, Description: Detects malware from Rehashed RAT incident, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Malware_QA_vqgk, Description: VT Research QA uploaded malware - file vqgk.dll, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Pupy_Backdoor, Description: Detects Pupy backdoor, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Microcin_Sample_5, Description: Malware sample mentioned in Microcin technical report by Kaspersky, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: clearlog, Description: Detects Fireball malware - file clearlog.dll, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PS_AMSI_Bypass, Description: Detects PowerShell AMSI Bypass, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: JS_Suspicious_Obfuscation_Dropbox, Description: Detects PowerShell AMSI Bypass, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: JS_Suspicious_MSHTA_Bypass, Description: Detects MSHTA Bypass, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: JavaScript_Run_Suspicious, Description: Detects a suspicious Javascript Run command, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FVEY_ShadowBroker_Auct_Dez16_Strings, Description: String from the ShodowBroker Files Screenshots - Dec 2016, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Ysoserial_Payload_Spring1, Description: Ysoserial Payloads - file Spring1.bin, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Ysoserial_Payload, Description: Ysoserial Payloads, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Ysoserial_Payload_3, Description: Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: CACTUSTORCH, Description: Detects CactusTorch Hacktool, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: OpCloudHopper_Malware_2, Description: Detects malware from Operation Cloud Hopper, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: OpCloudHopper_Malware_3, Description: Detects malware from Operation Cloud Hopper, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: OpCloudHopper_Malware_5, Description: Detects malware from Operation Cloud Hopper, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: OpCloudHopper_WmiDLL_inMemory, Description: Malware related to Operation Cloud Hopper - Page 25, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBS_WMIExec_Tool_Apr17_1, Description: Tools related to Operation Cloud Hopper, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Mimipenguin_SH, Description: Detects Mimipenguin Password Extractor - Linux, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: POSHSPY_Malware, Description: Detects, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FIN7_Backdoor_Aug17, Description: Detects Word Dropper from Proofpoint FIN7 Report, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PUA_CryptoMiner_Jan19_1, Description: Detects Crypto Miner strings, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_SMBExec, Description: Detects Invoke-WmiExec or Invoke-SmbExec, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_WMIExec_Gen_1, Description: Detects Invoke-WmiExec or Invoke-SmbExec, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_SMBExec_Invoke_WMIExec_1, Description: Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_WMIExec_Gen, Description: Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WMImplant, Description: Auto-generated rule - file WMImplant.ps1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: FVEY_ShadowBrokers_Jan17_Screen_Strings, Description: Detects strings derived from the ShadowBroker\'s leak of Windows tools/exploits, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_OSiRis, Description: Osiris Device Guard Bypass - file Invoke-OSiRis.ps1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: MAL_KHRAT_script, Description: Rule derived from KHRAT script but can match on other malicious scripts as well, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WiltedTulip_powershell, Description: Detects powershell script used in Operation Wilted Tulip, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WiltedTulip_Windows_UM_Task, Description: Detects a Windows scheduled task as used in Operation Wilted Tulip, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WiltedTulip_WindowsTask, Description: Detects hack tool used in Operation Wilted Tulip - Windows Tasks, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Impacket_Tools_Generic_1, Description: Compiled Impacket Tools, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Auditcleaner, Description: Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_elgingamble, Description: Equation Group hack tool leaked by ShadowBrokers- file elgingamble, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_cmsd, Description: Equation Group hack tool leaked by ShadowBrokers- file cmsd, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_ebbshave, Description: Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_eggbasket, Description: Equation Group hack tool leaked by ShadowBrokers- file eggbasket, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_sambal, Description: Equation Group hack tool leaked by ShadowBrokers- file sambal, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_envisioncollision, Description: Equation Group hack tool leaked by ShadowBrokers- file envisioncollision, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_cmsex, Description: Equation Group hack tool leaked by ShadowBrokers- file cmsex, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_DUL, Description: Equation Group hack tool leaked by ShadowBrokers- file DUL, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_slugger2, Description: Equation Group hack tool leaked by ShadowBrokers- file slugger2, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_jackpop, Description: Equation Group hack tool leaked by ShadowBrokers- file jackpop, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_epoxyresin_v1_0_0, Description: Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_estesfox, Description: Equation Group hack tool leaked by ShadowBrokers- file estesfox, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_elatedmonkey_1_0_1_1, Description: Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__ftshell_ftshell_v3_10_3_0, Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__scanner_scanner_v2_1_2, Description: Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__ghost_sparc_ghost_x86_3, Description: Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__jparsescan_parsescan_5, Description: Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__funnelout_v4_1_0_1, Description: Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__magicjack_v1_1_0_0_client, Description: Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup__ftshell, Description: Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_noclient_3_3_2, Description: Equation Group hack tool set, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17_Eternalromance, Description: Detects EquationGroup Tool - April Leak, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17_Gen2, Description: Detects EquationGroup Tool - April Leak, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17_ntevt, Description: Detects EquationGroup Tool - April Leak, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld, Description: Detects EquationGroup Tool - April Leak, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0, Description: Detects EquationGroup Tool - April Leak, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4, Description: Detects EquationGroup Tool - April Leak, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: EquationGroup_scanner_output, Description: Detects output generated by EQGRP scanner.exe, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_xtremerat_1, Description: Yara detected Xtreme RAT, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_PupyRAT, Description: Yara detected PupyRAT, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: dragos_crashoverride_moduleStrings, Description: IEC-104 Interaction Module Program Strings, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Dragos Inc
                                                                                                                                                                                • Rule: Obfuscated_VBS_April17, Description: Detects cloaked Mimikatz in VBS obfuscation, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Obfuscated_JS_April17, Description: Detects cloaked Mimikatz in JS obfuscation, Source: 00000013.00000003.416539900.0000000005222000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Fierce2, Description: This signature detects the Fierce2 domain scanner, Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx, Description: Web Shell - from files Shell [ci, Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 00000013.00000003.420266978.00000000051E4000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: shankar_php_php, Description: Semi-Auto-generated - file shankar.php.php.txt, Source: 00000013.00000003.464807403.0000000006D9C000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 00000013.00000002.542830535.0000000002FAE000.00000004.00000040.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: Volgmer_Malware, Description: Detects Volgmer malware as reported in US CERT TA17-318B, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: RemCom_RemoteCommandExecution, Description: Detects strings from RemCom tool, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: ProcessInjector_Gen, Description: Detects a process injection utility that can be used ofr good and bad purposes, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Lazagne_PW_Dumper, Description: Detects Lazagne PW Dumper, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Markus Neis / Florian Roth
                                                                                                                                                                                • Rule: SUSP_shellpop_Bash, Description: Detects susupicious bash command, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Tobias Michalski
                                                                                                                                                                                • Rule: GoldDragon_Aux_File, Description: Detects export from Gold Dragon - February 2018, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBS_dropper_script_Dec17_1, Description: Detects a supicious VBS script that drops an executable, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Lazarus_Dec_17_5, Description: Detects Lazarus malware from incident in Dec 2017, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: APT_Turla_Agent_BTZ_Gen_1, Description: Detects Turla Agent.BTZ, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Suspicious_BAT_Strings, Description: Detects a string also used in Netwire RAT auxilliary, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Turla_Mal_Script_Jan18_1, Description: Detects Turla malicious script, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: VBS_Obfuscated_Mal_Feb18_1, Description: Detects malicious obfuscated VBS observed in February 2018, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: LokiBot_Dropper_ScanCopyPDF_Feb18, Description: Auto-generated rule - file Scan Copy.pdf.com, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Armitage_msfconsole, Description: Detects Armitage component, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Armitage_OSX, Description: Detects Armitage component, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Silence_malware_2, Description: Detects malware sample mentioned in the Silence report on Securelist, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_Mimikatz, Description: Detects Invoke-Mimikatz String, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: MAL_unspecified_Jan18_1, Description: Detects unspecified malware sample, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Invoke_PSImage, Description: Detects a command to execute PowerShell from String, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: malware_apt15_royaldll, Description: DLL implant, originally rights.dll and runs as a service, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: David Cannings
                                                                                                                                                                                • Rule: JoeSecurity_Coinhive, Description: Yara detected Coinhive miner, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_WebMonitor, Description: Yara detected WebMonitor RAT, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_MiniRAT, Description: Yara detected Mini RAT, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_ComRAT_XORKey, Description: Yara detected Turla ComRAT XORKey, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: netwire, Description: detect netwire in memory, Source: 00000013.00000003.415404464.0000000005130000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Fierce2, Description: This signature detects the Fierce2 domain scanner, Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: webshell_Shell_ci_Biz_was_here_c100_v_xxx, Description: Web Shell - from files Shell [ci, Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php, Description: Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt, Source: 00000013.00000003.471467850.00000000051F3000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 00000013.00000003.478269987.0000000002FAD000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: webshell_PHP_b37, Description: Web Shell - file b37.php, Source: 00000013.00000003.435493556.0000000006B8B000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php, Description: Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt, Source: 00000013.00000003.435493556.0000000006B8B000.00000004.00000001.sdmp, Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
                                                                                                                                                                                • Rule: scanarator, Description: Auto-generated rule on file scanarator.exe, Source: 00000013.00000003.417846471.0000000002FAC000.00000004.00000001.sdmp, Author: yarGen Yara Rule Generator by Florian Roth
                                                                                                                                                                                • Rule: SQLMap, Description: This signature detects the SQLMap SQL injection tool, Source: 00000013.00000003.475887530.0000000006E3F000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                • Rule: Amplia_Security_Tool, Description: Amplia Security Tool, Source: 00000013.00000003.475715447.0000000006E30000.00000004.00000001.sdmp, Author: unknown
                                                                                                                                                                                • Rule: Hacktool_Strings_p0wnedShell, Description: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, Source: 00000013.00000003.430903809.0000000006BA5000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                                Reputation:low

                                                                                                                                                                                General

                                                                                                                                                                                Start time:13:47:26
                                                                                                                                                                                Start date:02/04/2021
                                                                                                                                                                                Path:C:\Users\user\Desktop\vnwareupdate.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:'C:\Users\user\Desktop\vnwareupdate.exe' '--multiprocessing-fork' '1300'
                                                                                                                                                                                Imagebase:0x7ff7ca4e0000
                                                                                                                                                                                File size:10752 bytes
                                                                                                                                                                                MD5 hash:FA8AFFACE280644885152DE7CD3234EE
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:low

                                                                                                                                                                                Disassembly

                                                                                                                                                                                Code Analysis

                                                                                                                                                                                Reset < >