Source: 2.2.xxTzyGLZx5.exe.4031bf.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 2.2.xxTzyGLZx5.exe.4031bf.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 2.2.xxTzyGLZx5.exe.4031bf.1.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 3.0.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 3.0.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 3.0.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 44.1.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.1.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 2.0.xxTzyGLZx5.exe.41b62f.11.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 2.0.xxTzyGLZx5.exe.41b62f.11.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 44.2.Windows Update.exe.4b0dc72.12.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.4b0dc72.12.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.2.Windows Update.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 40.0.5.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.0.5.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 3.2.bin.exe.2cee490.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 44.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 40.2.5.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.2.5.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 43.2.Windows Update.exe.147b1458.3.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 43.2.Windows Update.exe.147b1458.3.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 40.1.5.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.1.5.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 13.2.remcos.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 44.2.Windows Update.exe.4ab6408.15.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.4ab6408.15.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.2.Windows Update.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 9.2.cmd.exe.690000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 9.2.cmd.exe.690000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 9.2.cmd.exe.690000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 40.2.5.exe.3753258.5.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.2.5.exe.3753258.5.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 9.2.cmd.exe.690000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 9.2.cmd.exe.690000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 9.2.cmd.exe.690000.1.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 44.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.1.Windows Update.exe.415058.2.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.1.Windows Update.exe.415058.2.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 29.2.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 29.2.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 29.2.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 40.0.5.exe.400000.9.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.0.5.exe.400000.9.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 2.0.xxTzyGLZx5.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 2.0.xxTzyGLZx5.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 44.1.Windows Update.exe.41ce65.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.1.Windows Update.exe.41ce65.3.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.2.Windows Update.exe.4b49c0d.19.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.4b49c0d.19.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 2.0.xxTzyGLZx5.exe.400000.10.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 2.0.xxTzyGLZx5.exe.400000.10.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 44.2.Windows Update.exe.4b48208.17.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.4b48208.17.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.2.Windows Update.exe.3889660.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.3889660.6.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 3.2.bin.exe.3644490.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 2.2.xxTzyGLZx5.exe.4031bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 2.2.xxTzyGLZx5.exe.4031bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 44.0.Windows Update.exe.41ce65.10.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.0.Windows Update.exe.41ce65.10.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 40.0.5.exe.41ce65.12.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.0.5.exe.41ce65.12.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 37.2.5.exe.14907860.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 37.2.5.exe.14907860.3.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 40.0.5.exe.41ce65.16.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.0.5.exe.41ce65.16.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 40.2.5.exe.493dc72.11.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.2.5.exe.493dc72.11.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.1.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.1.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 32.0.remcos.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 44.2.Windows Update.exe.388b065.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.388b065.8.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 2.1.xxTzyGLZx5.exe.4031bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 2.1.xxTzyGLZx5.exe.4031bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 40.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 40.2.5.exe.4970000.15.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.2.5.exe.4970000.15.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 34.0.remcos.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 40.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 40.0.5.exe.400000.5.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.0.5.exe.400000.5.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 37.2.5.exe.148f0000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 37.2.5.exe.148f0000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 40.0.5.exe.400000.13.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.0.5.exe.400000.13.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 13.0.remcos.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 44.2.Windows Update.exe.4b9fa72.18.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.4b9fa72.18.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 18.0.remcos.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 40.2.5.exe.48e6408.13.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.2.5.exe.48e6408.13.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.2.Windows Update.exe.4a27428.10.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.4a27428.10.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.xxTzyGLZx5.exe.147ba62f.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 1.2.xxTzyGLZx5.exe.147ba62f.3.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 40.2.5.exe.49cfa72.18.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.2.5.exe.49cfa72.18.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 43.2.Windows Update.exe.147a0000.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 43.2.Windows Update.exe.147a0000.4.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 37.2.5.exe.14909265.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 37.2.5.exe.14909265.2.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.2.Windows Update.exe.4b40000.16.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.4b40000.16.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 40.0.5.exe.400000.7.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.0.5.exe.400000.7.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 37.2.5.exe.14901458.4.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 37.2.5.exe.14901458.4.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.xxTzyGLZx5.exe.147a21bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 1.2.xxTzyGLZx5.exe.147a21bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 43.2.Windows Update.exe.147b9265.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 43.2.Windows Update.exe.147b9265.2.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 2.0.xxTzyGLZx5.exe.4031bf.9.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 2.0.xxTzyGLZx5.exe.4031bf.9.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 40.0.5.exe.415058.15.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.0.5.exe.415058.15.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 40.2.5.exe.4857428.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.2.5.exe.4857428.8.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.xxTzyGLZx5.exe.147a0000.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 1.2.xxTzyGLZx5.exe.147a0000.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 40.2.5.exe.415058.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.2.5.exe.415058.3.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.2.Windows Update.exe.415058.0.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.415058.0.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 4.0.rem9090sta.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 44.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 40.2.5.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.2.5.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 40.2.5.exe.48e7e0d.12.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.2.5.exe.48e7e0d.12.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.2.Windows Update.exe.4ab0000.13.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.4ab0000.13.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 3.3.bin.exe.d4d388.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 40.2.5.exe.3759660.7.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.2.5.exe.3759660.7.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 40.2.5.exe.48aec92.9.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 40.2.5.exe.48aec92.9.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.2.Windows Update.exe.41ce65.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.41ce65.3.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 29.0.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 29.0.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 29.0.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 3.2.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 3.2.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 3.2.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 1.2.xxTzyGLZx5.exe.147a21bf.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 1.2.xxTzyGLZx5.exe.147a21bf.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 1.2.xxTzyGLZx5.exe.147a21bf.1.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 44.2.Windows Update.exe.4ab0000.13.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.2.Windows Update.exe.4ab0000.13.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 44.0.Windows Update.exe.41b460.11.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 44.0.Windows Update.exe.41b460.11.raw.unpack, type: UNPACKEDPE |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 18.2.remcos.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 40.1.5.exe.41ce65.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000028.00000002.836807956.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000028.00000002.836807956.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 00000025.00000002.801377726.00000000148F0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000025.00000002.801377726.00000000148F0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 00000028.00000000.797700139.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000028.00000000.797700139.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 00000028.00000000.794595068.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000028.00000000.794595068.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 0000002C.00000000.863600170.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000002C.00000000.863600170.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 0000002C.00000001.865541542.0000000000414000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000002C.00000001.865541542.0000000000414000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 0000002C.00000002.918744871.0000000004B42000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000002C.00000002.918744871.0000000004B42000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 0000002C.00000002.918414776.0000000004AB0000.00000004.00020000.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000002C.00000002.918414776.0000000004AB0000.00000004.00020000.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 0000002B.00000002.869118290.00000000147A0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000002B.00000002.869118290.00000000147A0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 00000028.00000002.838115183.0000000003751000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000028.00000002.838115183.0000000003751000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 00000028.00000002.838248522.0000000004851000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000028.00000002.838248522.0000000004851000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 0000002C.00000002.914779879.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000002C.00000002.914779879.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 0000002C.00000002.918156876.0000000004A21000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000002C.00000002.918156876.0000000004A21000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000002.677784097.00000000147A0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 00000001.00000002.677784097.00000000147A0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000028.00000002.838427138.0000000004972000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000028.00000002.838427138.0000000004972000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 0000002C.00000002.917761840.0000000003881000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000002C.00000002.917761840.0000000003881000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 00000009.00000002.931995653.0000000000690000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 00000009.00000002.931995653.0000000000690000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 00000009.00000002.931995653.0000000000690000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 00000028.00000001.798523188.0000000000414000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000028.00000001.798523188.0000000000414000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 00000028.00000002.838343652.00000000048E0000.00000004.00020000.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000028.00000002.838343652.00000000048E0000.00000004.00020000.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 0000002C.00000002.916420859.0000000002881000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000002C.00000002.916420859.0000000002881000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: 0000002C.00000000.861719615.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0000002C.00000000.861719615.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED |
Matched rule: AveMaria_WarZone Author: unknown |
Source: C:\Users\user\AppData\Local\Temp\rem9090sta.exe, type: DROPPED |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe, type: DROPPED |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 2.2.xxTzyGLZx5.exe.4031bf.1.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.xxTzyGLZx5.exe.4031bf.1.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.xxTzyGLZx5.exe.4031bf.1.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 2.2.xxTzyGLZx5.exe.4031bf.1.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 3.0.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 3.0.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 3.0.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 3.0.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 44.1.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.1.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.1.Windows Update.exe.415058.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 2.0.xxTzyGLZx5.exe.41b62f.11.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.0.xxTzyGLZx5.exe.41b62f.11.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.0.xxTzyGLZx5.exe.41b62f.11.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 44.2.Windows Update.exe.4b0dc72.12.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.4b0dc72.12.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.2.Windows Update.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.2.Windows Update.exe.400000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 40.0.5.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.0.5.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.0.5.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 3.2.bin.exe.2cee490.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 3.2.bin.exe.2cee490.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 44.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.0.Windows Update.exe.415058.14.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 40.2.5.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.2.5.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.2.5.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 43.2.Windows Update.exe.147b1458.3.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 43.2.Windows Update.exe.147b1458.3.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 43.2.Windows Update.exe.147b1458.3.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 40.1.5.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.1.5.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.1.5.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 13.2.remcos.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 44.2.Windows Update.exe.4ab6408.15.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.4ab6408.15.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.2.Windows Update.exe.4ab6408.15.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.2.Windows Update.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.2.Windows Update.exe.400000.2.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 9.2.cmd.exe.690000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 9.2.cmd.exe.690000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 9.2.cmd.exe.690000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 9.2.cmd.exe.690000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 40.2.5.exe.3753258.5.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.2.5.exe.3753258.5.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.2.5.exe.3753258.5.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 9.2.cmd.exe.690000.1.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 9.2.cmd.exe.690000.1.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 9.2.cmd.exe.690000.1.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 9.2.cmd.exe.690000.1.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 44.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.0.Windows Update.exe.400000.8.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.1.Windows Update.exe.415058.2.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.1.Windows Update.exe.415058.2.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.1.Windows Update.exe.415058.2.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 29.2.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 29.2.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 29.2.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 29.2.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 40.0.5.exe.400000.9.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.0.5.exe.400000.9.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.0.5.exe.400000.9.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 2.0.xxTzyGLZx5.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.0.xxTzyGLZx5.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 2.0.xxTzyGLZx5.exe.400000.4.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 44.1.Windows Update.exe.41ce65.3.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.1.Windows Update.exe.41ce65.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.2.Windows Update.exe.4b49c0d.19.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.4b49c0d.19.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 40.2.5.exe.27bb310.4.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 2.3.xxTzyGLZx5.exe.7abf78.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.0.xxTzyGLZx5.exe.400000.10.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.0.xxTzyGLZx5.exe.400000.10.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 2.0.xxTzyGLZx5.exe.400000.10.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 44.2.Windows Update.exe.4b48208.17.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.4b48208.17.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.2.Windows Update.exe.4b48208.17.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.2.Windows Update.exe.3889660.6.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.3889660.6.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.2.Windows Update.exe.3889660.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 3.2.bin.exe.3644490.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 3.2.bin.exe.3644490.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.xxTzyGLZx5.exe.4031bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.xxTzyGLZx5.exe.4031bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 2.2.xxTzyGLZx5.exe.4031bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 44.0.Windows Update.exe.41ce65.10.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.0.Windows Update.exe.41ce65.10.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 40.0.5.exe.41ce65.12.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.0.5.exe.41ce65.12.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 37.2.5.exe.14907860.3.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 37.2.5.exe.14907860.3.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 37.2.5.exe.14907860.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 40.0.5.exe.41ce65.16.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.0.5.exe.41ce65.16.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 40.2.5.exe.493dc72.11.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.2.5.exe.493dc72.11.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.1.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.1.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.1.Windows Update.exe.41b460.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 32.0.remcos.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 44.2.Windows Update.exe.388b065.8.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.388b065.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 2.1.xxTzyGLZx5.exe.4031bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.1.xxTzyGLZx5.exe.4031bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 2.1.xxTzyGLZx5.exe.4031bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 40.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.1.5.exe.415058.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 40.2.5.exe.4970000.15.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.2.5.exe.4970000.15.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.2.5.exe.4970000.15.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.0.Windows Update.exe.400000.6.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 34.0.remcos.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 40.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.1.5.exe.41b460.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.2.Windows Update.exe.76b0000.20.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.0.5.exe.400000.5.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.0.5.exe.400000.5.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.0.5.exe.400000.5.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 37.2.5.exe.148f0000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 37.2.5.exe.148f0000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 37.2.5.exe.148f0000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 40.0.5.exe.400000.13.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.0.5.exe.400000.13.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.0.5.exe.400000.13.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 13.0.remcos.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 44.2.Windows Update.exe.4b9fa72.18.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.4b9fa72.18.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 18.0.remcos.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 40.2.5.exe.48e6408.13.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.2.5.exe.48e6408.13.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.2.5.exe.48e6408.13.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.2.Windows Update.exe.4a27428.10.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.4a27428.10.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.2.Windows Update.exe.4a27428.10.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 1.2.xxTzyGLZx5.exe.147ba62f.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 1.2.xxTzyGLZx5.exe.147ba62f.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 1.2.xxTzyGLZx5.exe.147ba62f.3.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 40.2.5.exe.49cfa72.18.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.2.5.exe.49cfa72.18.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 43.2.Windows Update.exe.147a0000.4.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 43.2.Windows Update.exe.147a0000.4.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 43.2.Windows Update.exe.147a0000.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 37.2.5.exe.14909265.2.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 37.2.5.exe.14909265.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.0.Windows Update.exe.400000.7.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.0.Windows Update.exe.415058.14.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.2.Windows Update.exe.4b40000.16.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.4b40000.16.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.2.Windows Update.exe.4b40000.16.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 40.0.5.exe.400000.7.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.0.5.exe.400000.7.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.0.5.exe.400000.7.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 37.2.5.exe.14901458.4.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 37.2.5.exe.14901458.4.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 37.2.5.exe.14901458.4.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 1.2.xxTzyGLZx5.exe.147a21bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 1.2.xxTzyGLZx5.exe.147a21bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 1.2.xxTzyGLZx5.exe.147a21bf.1.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 43.2.Windows Update.exe.147b9265.2.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 43.2.Windows Update.exe.147b9265.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 2.0.xxTzyGLZx5.exe.4031bf.9.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.0.xxTzyGLZx5.exe.4031bf.9.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 2.0.xxTzyGLZx5.exe.4031bf.9.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 40.0.5.exe.415058.15.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.0.5.exe.415058.15.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.0.5.exe.415058.15.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 40.2.5.exe.4857428.8.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.2.5.exe.4857428.8.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.2.5.exe.4857428.8.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 1.2.xxTzyGLZx5.exe.147a0000.2.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 1.2.xxTzyGLZx5.exe.147a0000.2.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 1.2.xxTzyGLZx5.exe.147a0000.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 40.2.5.exe.415058.3.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.2.5.exe.415058.3.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.2.5.exe.415058.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.2.Windows Update.exe.415058.0.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.415058.0.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.2.Windows Update.exe.415058.0.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 4.0.rem9090sta.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 44.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.0.Windows Update.exe.400000.13.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 40.2.5.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.2.5.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.2.5.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 40.2.5.exe.48e7e0d.12.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.2.5.exe.48e7e0d.12.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.2.Windows Update.exe.4ab0000.13.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.4ab0000.13.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.2.Windows Update.exe.4ab0000.13.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 3.3.bin.exe.d4d388.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 3.3.bin.exe.d4d388.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 40.2.5.exe.3759660.7.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.2.5.exe.3759660.7.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 40.2.5.exe.3759660.7.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.0.Windows Update.exe.415058.12.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 40.2.5.exe.48aec92.9.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 40.2.5.exe.48aec92.9.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.2.Windows Update.exe.41ce65.3.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.41ce65.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 29.0.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 29.0.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 29.0.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 29.0.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 3.2.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 3.2.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 3.2.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 3.2.bin.exe.d0000.0.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 1.2.xxTzyGLZx5.exe.147a21bf.1.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 1.2.xxTzyGLZx5.exe.147a21bf.1.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 1.2.xxTzyGLZx5.exe.147a21bf.1.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 1.2.xxTzyGLZx5.exe.147a21bf.1.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 44.2.Windows Update.exe.4ab0000.13.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.2.Windows Update.exe.4ab0000.13.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.2.Windows Update.exe.4ab0000.13.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 44.0.Windows Update.exe.41b460.11.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 44.0.Windows Update.exe.41b460.11.raw.unpack, type: UNPACKEDPE |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 44.0.Windows Update.exe.41b460.11.raw.unpack, type: UNPACKEDPE |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 18.2.remcos.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 40.1.5.exe.41ce65.1.raw.unpack, type: UNPACKEDPE |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 00000028.00000002.836807956.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 00000028.00000002.836807956.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 00000028.00000002.836807956.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 00000025.00000002.801377726.00000000148F0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 00000025.00000002.801377726.00000000148F0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 00000025.00000002.801377726.00000000148F0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000003.684193866.0000000000D36000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 0000002C.00000002.921284802.0000000007700000.00000004.00020000.sdmp, type: MEMORY |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 00000028.00000000.797700139.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 00000028.00000000.797700139.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000002.929833680.000000000021F000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000028.00000000.794595068.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 00000028.00000000.794595068.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 0000002C.00000000.863600170.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 0000002C.00000000.863600170.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 0000002C.00000001.865541542.0000000000414000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 0000002C.00000001.865541542.0000000000414000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 0000002C.00000002.918744871.0000000004B42000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 0000002C.00000002.918744871.0000000004B42000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000001.674846942.0000000000403000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 0000002C.00000002.918414776.0000000004AB0000.00000004.00020000.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 0000002C.00000002.918414776.0000000004AB0000.00000004.00020000.sdmp, type: MEMORY |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0000002C.00000002.918414776.0000000004AB0000.00000004.00020000.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 0000002B.00000002.869118290.00000000147A0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 0000002B.00000002.869118290.00000000147A0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0000002B.00000002.869118290.00000000147A0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 0000001D.00000000.726336718.000000000021F000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 0000001D.00000002.730907039.000000000021F000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000028.00000002.838115183.0000000003751000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 00000028.00000002.838115183.0000000003751000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 00000028.00000002.838248522.0000000004851000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 00000028.00000002.838248522.0000000004851000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 0000002C.00000002.914779879.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 0000002C.00000002.914779879.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0000002C.00000002.914779879.0000000000400000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 0000002C.00000002.918156876.0000000004A21000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 0000002C.00000002.918156876.0000000004A21000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000003.684269184.0000000000D36000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000001.00000002.677784097.00000000147A0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000001.00000002.677784097.00000000147A0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 00000001.00000002.677784097.00000000147A0000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000002.00000000.672609321.0000000000403000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000028.00000002.838427138.0000000004972000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 00000028.00000002.838427138.0000000004972000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 0000002C.00000002.921256513.00000000076B0000.00000004.00020000.sdmp, type: MEMORY |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0000002C.00000002.917761840.0000000003881000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 0000002C.00000002.917761840.0000000003881000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 00000002.00000000.674013020.0000000000403000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000009.00000002.931995653.0000000000690000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000009.00000002.931995653.0000000000690000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000009.00000002.931995653.0000000000690000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 00000009.00000002.931995653.0000000000690000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000003.00000002.939479958.000000000362C000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000002.00000002.682814093.0000000000403000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000003.00000003.684248310.0000000000D0E000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000028.00000001.798523188.0000000000414000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 00000028.00000001.798523188.0000000000414000.00000040.00020000.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 00000028.00000002.838343652.00000000048E0000.00000004.00020000.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 00000028.00000002.838343652.00000000048E0000.00000004.00020000.sdmp, type: MEMORY |
Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 00000028.00000002.838343652.00000000048E0000.00000004.00020000.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 0000001D.00000002.731576486.00000000034A2000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000002.00000003.676858560.0000000000797000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000003.00000002.939106389.0000000002CD6000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 0000002C.00000002.916420859.0000000002881000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 0000002C.00000002.916420859.0000000002881000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: 00000003.00000000.680273151.000000000021F000.00000002.00020000.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 0000002C.00000000.861719615.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye |
Source: 0000002C.00000000.861719615.0000000000414000.00000040.00000001.sdmp, type: MEMORY |
Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: C:\Users\user\AppData\Local\Temp\rem9090sta.exe, type: DROPPED |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe, type: DROPPED |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\xxTzyGLZx5.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\rem9090sta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\rem9090sta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\dwn.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\dwn.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\dwn.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\dwn.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\dwn.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\dwn.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\dwn.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\dwn.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\dwn.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\dwn.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\dwn.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\dwn.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\dwn.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Remcos\dwn.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOGPFAULTERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Users\user\AppData\Roaming\Windows Update.exe |
Process information set: NOOPENFILEERRORBOX |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Users\user\AppData\Roaming\Remcos\remcos.exe |
Queries volume information: C:\ VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\LSBIHQFDVT.pdf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\LSBIHQFDVT.pdf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\SFPUSAFIOL.pdf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\SFPUSAFIOL.pdf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\SFPUSAFIOL.xlsx VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\SFPUSAFIOL.xlsx VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\SQRKHNBNYN.docx VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\SQRKHNBNYN.docx VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\SQRKHNBNYN.pdf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\SQRKHNBNYN.pdf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\UOOJJOZIRH.xlsx VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\UOOJJOZIRH.xlsx VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\VAMYDFPUND.docx VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\VAMYDFPUND.docx VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\VAMYDFPUND.xlsx VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\VAMYDFPUND.xlsx VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\ZTGJILHXQB.docx VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Files\ZTGJILHXQB.docx VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\BURPLQ1DAW.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\BURPLQ1DAW.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\BURPLQ1DAW.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\BURPLQ1DAW.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\BURPLQ1DAW.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\BURPLQ1DAW.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\BURPLQ1DAW.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\BURPLQ1DAW.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\21.exe |
Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\BURPLQ1DAW.zip VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\5.exe |
Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
|
Source: C:\Users\user\AppData\Local\Temp\4.exe |
Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation |
|