Windows Analysis Report SW0P9o9ksjpBsnr.exe

Overview

General Information

Sample Name: SW0P9o9ksjpBsnr.exe
Analysis ID: 547727
MD5: 27f2a9688ec34fc8aa3b0fee4757dd71
SHA1: 9464f6bea3222c5598ecd9d29a8bc68c0998f926
SHA256: 5733ad0577f5b8fc7e939b1daff3ff98b339bb47542a138b659e47b9001fbbd2
Tags: exeRemcosRAT
Infos:

Most interesting Screenshot:

Detection

HawkEye Remcos AgentTesla AveMaria MailPassView UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected UACMe UAC Bypass tool
Detected HawkEye Rat
Yara detected AveMaria stealer
Detected Remcos RAT
Multi AV Scanner detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Creates a thread in another existing process (thread injection)
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
.NET source code references suspicious native API functions
Contains functionality to hide user accounts
Contains functionality to log keystrokes (.Net Source)
Contains functionality to steal e-mail passwords
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Yara detected WebBrowserPassView password recovery tool
Contains functionality to steal Chrome passwords or cookies
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Contains functionality to inject threads in other processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to download and execute PE files
Yara detected Keylogger Generic
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May infect USB drives
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\100\100.exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\ProgramData\images.exe Avira: detection malicious, Label: TR/Redcap.ghjpt
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\bin.exe Avira: detection malicious, Label: TR/Redcap.ghjpt
Source: C:\Users\user\AppData\Local\Temp\warz.exe Avira: detection malicious, Label: TR/Redcap.ghjpt
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Multi AV Scanner detection for submitted file
Source: SW0P9o9ksjpBsnr.exe ReversingLabs: Detection: 53%
Yara detected Remcos RAT
Source: Yara match File source: 13.0.rem.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.rem.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.rem.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.rem.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.296555205.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.297395374.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.298936574.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.298035428.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rem.exe PID: 6564, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\rem.exe, type: DROPPED
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.291260710.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293488925.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.300135911.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.328585434.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.317967942.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.290415827.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.315866343.000000000149C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.314784536.00000000014A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.290858967.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.300261604.0000000000D8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.299137914.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.294897016.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293955227.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\images.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\images.exe Metadefender: Detection: 76% Perma Link
Source: C:\ProgramData\images.exe ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Temp\bin.exe Metadefender: Detection: 76% Perma Link
Source: C:\Users\user\AppData\Local\Temp\bin.exe ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe ReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Metadefender: Detection: 51% Perma Link
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe ReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Local\Temp\rem.exe Metadefender: Detection: 50% Perma Link
Source: C:\Users\user\AppData\Local\Temp\rem.exe ReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Local\Temp\tmpG223.tmp (copy) ReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Local\Temp\tmpG759.tmp (copy) Metadefender: Detection: 51% Perma Link
Source: C:\Users\user\AppData\Local\Temp\tmpG759.tmp (copy) ReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Local\Temp\warz.exe Metadefender: Detection: 76% Perma Link
Source: C:\Users\user\AppData\Local\Temp\warz.exe ReversingLabs: Detection: 89%
Machine Learning detection for sample
Source: SW0P9o9ksjpBsnr.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\100\100.exe Joe Sandbox ML: detected
Source: C:\ProgramData\images.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\bin.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\warz.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\rem.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 12.0.warz.exe.1020000.6.unpack Avira: Label: TR/Redcap.ghjpt
Source: 12.2.warz.exe.1020000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 19.0.hawkstartup.exe.4d0000.4.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 19.0.hawkstartup.exe.4d0000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 22.0.images.exe.330000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 11.0.bin.exe.880000.6.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 11.0.bin.exe.880000.2.unpack Avira: Label: TR/Redcap.ghjpt
Source: 22.3.images.exe.14ab2f0.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 11.0.bin.exe.880000.4.unpack Avira: Label: TR/Redcap.ghjpt
Source: 19.0.hawkstartup.exe.4d0000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 19.0.hawkstartup.exe.4d0000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.bin.exe.880000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 22.2.images.exe.330000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 19.0.hawkstartup.exe.4d0000.12.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 19.0.hawkstartup.exe.4d0000.12.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 22.3.images.exe.14ab2f0.10.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 19.0.hawkstartup.exe.4d0000.8.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 19.0.hawkstartup.exe.4d0000.8.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack Avira: Label: TR/Dropper.Gen
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 11.2.bin.exe.880000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 19.2.hawkstartup.exe.4d0000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 19.2.hawkstartup.exe.4d0000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 12.0.warz.exe.1020000.2.unpack Avira: Label: TR/Redcap.ghjpt
Source: 12.0.warz.exe.1020000.4.unpack Avira: Label: TR/Redcap.ghjpt
Source: 12.0.warz.exe.1020000.0.unpack Avira: Label: TR/Redcap.ghjpt

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088B15E lstrlenA,CryptStringToBinaryA,lstrcpyA, 11_2_0088B15E
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088CAFC CryptUnprotectData,LocalAlloc,LocalFree, 11_2_0088CAFC
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 11_2_0088CCB4
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 11_2_0088CC54
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, 11_2_0088A632
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088CF58 LocalAlloc,BCryptDecrypt,LocalFree, 11_2_0088CF58
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_0102B15E lstrlenA,CryptStringToBinaryA,lstrcpyA, 12_2_0102B15E
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_0102CAFC CryptUnprotectData,LocalAlloc,LocalFree, 12_2_0102CAFC
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_0102CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 12_2_0102CC54
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_0102CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 12_2_0102CCB4
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_0102CF58 LocalAlloc,BCryptDecrypt,LocalFree, 12_2_0102CF58
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_0102A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, 12_2_0102A632
Source: C:\ProgramData\images.exe Code function: 22_2_0033B15E lstrlenA,CryptStringToBinaryA,lstrcpyA, 22_2_0033B15E
Source: C:\ProgramData\images.exe Code function: 22_2_0033CAFC CryptUnprotectData,LocalAlloc,LocalFree, 22_2_0033CAFC
Source: C:\ProgramData\images.exe Code function: 22_2_0033CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 22_2_0033CC54
Source: C:\ProgramData\images.exe Code function: 22_2_0033CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 22_2_0033CCB4
Source: C:\ProgramData\images.exe Code function: 22_2_0033A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, 22_2_0033A632
Source: C:\ProgramData\images.exe Code function: 22_2_0033CF58 LocalAlloc,BCryptDecrypt,LocalFree, 22_2_0033CF58
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits:

barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 22.3.images.exe.14b3768.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.images.exe.14b4d00.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.warz.exe.2fef490.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.warz.exe.da4e20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.32a8470.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.warz.exe.da2018.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.SW0P9o9ksjpBsnr.exe.45ab3f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.images.exe.14ab2f0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.bin.exe.10e5118.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.images.exe.14b4d00.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.bin.exe.10e5118.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.bin.exe.309d490.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.images.exe.14b3768.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.images.exe.14b1ef8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.images.exe.14b3768.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.warz.exe.da3888.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.bin.exe.10e38a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.bin.exe.10e66b0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.bin.exe.10e5118.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.warz.exe.da3888.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.images.exe.14b3768.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.bin.exe.10e5118.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.images.exe.14b3768.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.warz.exe.dba418.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.images.exe.14ab2f0.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.warz.exe.da3888.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.bin.exe.10e3430.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.bin.exe.10e5118.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.bin.exe.10e66b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.bin.exe.10e3430.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.warz.exe.da4e20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.images.exe.14b3768.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.bin.exe.10e5118.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.images.exe.14b4d00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.3.warz.exe.da4e20.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.images.exe.36f8490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.bin.exe.10e3430.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.291654350.00000000009CF000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.311194083.000000000116F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.299504412.0000000000DA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.524271296.000000000047F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.525512056.00000000009CF000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.315134280.00000000014B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.315040551.00000000014B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.299610781.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.294592566.000000000116F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.295601289.00000000010E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.328741916.00000000009CF000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.295697323.00000000010E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.317999053.00000000009CF000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.304645862.000000000047F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.290450731.00000000009CF000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.294916604.000000000116F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.299968878.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.291282105.00000000009CF000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293514502.000000000116F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.315520254.00000000014B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.290889845.00000000009CF000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.294003890.000000000116F000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bin.exe PID: 6480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: warz.exe PID: 6544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: images.exe PID: 6824, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\images.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED

Compliance:

barindex
Uses 32bit PE files
Source: SW0P9o9ksjpBsnr.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
Source: C:\Users\user\AppData\Local\Temp\bin.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: SW0P9o9ksjpBsnr.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, hawkstartup.exe, 00000013.00000002.332921599.0000000002B31000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp

Spreading:

barindex
May infect USB drives
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: hawkstartup.exe Binary or memory string: [autorun]
Source: hawkstartup.exe Binary or memory string: autorun.inf
Source: hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp Binary or memory string: autorun.inf
Source: hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp Binary or memory string: [autorun]
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0089002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, 11_2_0089002B
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_00889DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 11_2_00889DF6
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088FF27 FindFirstFileW,FindNextFileW, 11_2_0088FF27
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_01029DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 12_2_01029DF6
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_0102FF27 FindFirstFileW,FindNextFileW, 12_2_0102FF27
Source: C:\ProgramData\images.exe Code function: 22_2_00339DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 22_2_00339DF6
Source: C:\ProgramData\images.exe Code function: 22_2_0033FF27 FindFirstFileW,FindNextFileW, 22_2_0033FF27

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 19_2_04D214C0
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 4x nop then jmp 04D21A73h 19_2_04D21A80
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 19_2_04D217F8
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 4x nop then jmp 04D21A73h 19_2_04D219B0
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 4x nop then jmp 04D21A73h 19_2_04D219A0
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 19_2_04D20728

Networking:

barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 185.157.161.174 ports 9019,1,1975,5,7,9
May check the online IP address of the machine
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Roaming\Windows Update.exe DNS query: name: whatismyipaddress.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Contains functionality to download and execute PE files
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_008827D3 URLDownloadToFileW,ShellExecuteW, 11_2_008827D3
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49756 -> 185.157.161.174:1975
Source: global traffic TCP traffic: 192.168.2.5:49792 -> 66.29.159.53:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49792 -> 66.29.159.53:587
Source: ori4.0dec23sta.exe, 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp String found in binary or memory: http://CDIeMO.com
Source: ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmp String found in binary or memory: http://crl.c
Source: ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com
Source: ori4.0dec23sta.exe, 00000017.00000002.540928973.0000000006762000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertifi
Source: ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.531073009.00000000008B9000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542078165.0000000005759000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.531263426.00000000008C2000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: ori4.0dec23sta.exe, 00000017.00000002.540928973.0000000006762000.00000004.00000001.sdmp, ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori4.0dec23sta.exe, 00000017.00000002.540819805.0000000006720000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541994217.0000000005734000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539098632.0000000002B7B000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539285143.0000000002BAD000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: ori4.0dec23sta.exe, 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp String found in binary or memory: http://hWWJFF.com
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.531073009.00000000008B9000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542078165.0000000005759000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.531263426.00000000008C2000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539098632.0000000002B7B000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539285143.0000000002BAD000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp String found in binary or memory: http://smtp.privateemail.com
Source: hawkstartup.exe String found in binary or memory: http://whatismyipaddress.com/
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.260790631.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262146733.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265990762.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260434103.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264954192.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260700997.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263684825.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265098574.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.259763834.0000000005E34000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260592186.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265825518.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000002.294573838.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260474258.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264340395.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.261362055.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260825749.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263708707.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266616856.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260218923.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260536702.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260626401.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263588322.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264079426.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266401934.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.286537446.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262166074.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260655683.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264467499.0000000005E36000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.260790631.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262146733.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265990762.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260434103.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264954192.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260700997.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263684825.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265098574.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.259763834.0000000005E34000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260592186.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265825518.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000002.294573838.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260474258.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264340395.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.261362055.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260825749.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263708707.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266616856.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260218923.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260536702.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260626401.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263588322.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264079426.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266401934.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.286537446.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262166074.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260655683.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264467499.0000000005E36000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comC
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.260790631.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262146733.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265990762.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260434103.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264954192.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260700997.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263684825.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265098574.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.259763834.0000000005E34000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260592186.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.265825518.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000002.294573838.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260474258.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264340395.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.261362055.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260825749.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263708707.0000000005E3D000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266616856.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260218923.0000000005E36000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260536702.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260626401.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.263588322.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264079426.0000000005E3B000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.266401934.0000000005E35000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.286537446.0000000005E30000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.262166074.0000000005E3C000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260655683.0000000005E3E000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.264467499.0000000005E36000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comslnt
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287717053.0000000001507000.00000004.00000040.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.266401934.0000000005E35000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.261362055.0000000005E3B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/P
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287717053.0000000001507000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comceaY
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.257920284.0000000005E38000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.257920284.0000000005E38000.00000004.00000001.sdmp String found in binary or memory: http://www.monotypeimaging.c
Source: hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.255889807.0000000005E4B000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.255889807.0000000005E4B000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comAt
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.255889807.0000000005E4B000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.come
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.260218923.0000000005E36000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000000.00000003.257996177.0000000005E38000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.257996177.0000000005E38000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com2
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.257996177.0000000005E38000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comB
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.294677676.0000000007042000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp String found in binary or memory: https://KXOf8Lcd51drIxRwI.org
Source: ori4.0dec23sta.exe, 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp String found in binary or memory: https://KXOf8Lcd51drIxRwI.org81
Source: ori2.0dec23sta.exe, 0000001A.00000002.540786312.00000000049F0000.00000004.00000001.sdmp String found in binary or memory: https://KXOf8Lcd51drIxRwI.orgInProcServer32
Source: ori2.0dec23sta.exe, 0000001A.00000002.540836311.0000000004A00000.00000004.00000001.sdmp String found in binary or memory: https://KXOf8Lcd51drIxRwI.orgInprocHandler
Source: ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp String found in binary or memory: https://KXOf8Lcd51drIxRwI.orgd=
Source: bin.exe, warz.exe, images.exe String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.294966162.00000000018CC000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.284923646.0000000001893000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.291709456.0000000004593000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.286875051.0000000001893000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.314218745.0000000001903000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.324999984.0000000001904000.00000004.00000001.sdmp, bin.exe, 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, bin.exe, 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, bin.exe, 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, bin.exe, 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, bin.exe, 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, bin.exe, 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, warz.exe, 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, warz.exe, 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, warz.exe, 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, warz.exe, 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, images.exe, 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, images.exe, 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, images.exe, 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: hawkstartup.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: ori4.0dec23sta.exe, 00000017.00000002.538995432.00000000030EC000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541938568.0000000005725000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542269823.0000000005787000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.529725952.0000000000867000.00000004.00000020.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542156248.0000000005766000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539098632.0000000002B7B000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.542032843.0000000005741000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.539285143.0000000002BAD000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: hawkstartup.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.307369542.00000000045AC000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.315881747.0000000003ECD000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.330768411.0000000004525000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.329717962.0000000003E61000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.309595356.0000000003ECE000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.313272509.0000000003E61000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.286683979.0000000003E61000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.315166060.0000000003ECD000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.286824707.0000000003ECC000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.328524290.00000000044B8000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp, ori4.0dec23sta.exe, ori4.0dec23sta.exe, 00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.540819805.0000000006720000.00000004.00000001.sdmp, ori2.0dec23sta.exe, ori2.0dec23sta.exe, 0000001A.00000003.364545271.00000000056D1000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000000.322486737.00000000000D2000.00000002.00020000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: ori2.0dec23sta.exe, 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: 9.96.11.0.in-addr.arpa
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088D0A3 recv, 11_2_0088D0A3
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 04 Jan 2022 14:06:23 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTSet-Cookie: __cf_bm=9.gsBxN_TlFUSbreDLPbWL6FYpa.GN4p00zBzeoSM3A-1641305183-0-AeUdY+n5LN7USDwNfmj5TSRNGaWztIYvAklLwEwNucw9pUZwZ2l2ZbjFQzDfD62xzB8G6jLZy8vOobUN/MZShNg=; path=/; expires=Tue, 04-Jan-22 14:36:23 GMT; domain=.whatismyipaddress.com; HttpOnlyServer: cloudflareCF-RAY: 6c8506f6cf196997-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 04 Jan 2022 14:06:23 GMTContent-Type: text/plain; charset=UTF-8Content-Length: 16Connection: keep-aliveX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTSet-Cookie: __cf_bm=9.gsBxN_TlFUSbreDLPbWL6FYpa.GN4p00zBzeoSM3A-1641305183-0-AeUdY+n5LN7USDwNfmj5TSRNGaWztIYvAklLwEwNucw9pUZwZ2l2ZbjFQzDfD62xzB8G6jLZy8vOobUN/MZShNg=; path=/; expires=Tue, 04-Jan-22 14:36:23 GMT; domain=.whatismyipaddress.com; HttpOnlyServer: cloudflareCF-RAY: 6c8506f6cf196997-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30 Data Ascii: error code: 1020
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.174
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: hawkstartup.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: hawkstartup.exe PID: 6776, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Contains functionality to log keystrokes (.Net Source)
Source: hawkstartup.exe.4.dr, Form1.cs .Net Code: HookKeyboard
Yara detected Keylogger Generic
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_008889D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx, 11_2_008889D5
Creates a DirectInput object (often for capturing keystrokes)
Source: bin.exe, 0000000B.00000002.529750933.00000000010AA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp Binary or memory string: GetRawInputData
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

barindex
Yara detected Remcos RAT
Source: Yara match File source: 13.0.rem.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.rem.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.rem.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.rem.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.296555205.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.297395374.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.298936574.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.298035428.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rem.exe PID: 6564, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\rem.exe, type: DROPPED
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.291260710.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293488925.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.300135911.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.328585434.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.317967942.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.290415827.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.315866343.000000000149C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.314784536.00000000014A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.290858967.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.300261604.0000000000D8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.299137914.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.294897016.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293955227.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\images.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 22.3.images.exe.14b3768.4.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 22.3.images.exe.14b4d00.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 12.2.warz.exe.2fef490.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 12.3.warz.exe.da4e20.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.2.cmd.exe.32a8470.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 12.3.warz.exe.da2018.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.3.SW0P9o9ksjpBsnr.exe.45ab3f8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 22.3.images.exe.14ab2f0.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 11.3.bin.exe.10e5118.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 22.3.images.exe.14b4d00.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 11.3.bin.exe.10e5118.8.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 11.2.bin.exe.309d490.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 22.3.images.exe.14b3768.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 22.3.images.exe.14b1ef8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 22.3.images.exe.14b3768.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 13.0.rem.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 12.3.warz.exe.da3888.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 11.3.bin.exe.10e38a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 11.3.bin.exe.10e66b0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 11.3.bin.exe.10e5118.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 12.3.warz.exe.da3888.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 22.3.images.exe.14b3768.1.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 11.3.bin.exe.10e5118.4.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 22.3.images.exe.14b3768.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 12.3.warz.exe.dba418.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 22.3.images.exe.14ab2f0.10.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 12.3.warz.exe.da3888.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 13.0.rem.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.rem.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.3.bin.exe.10e3430.9.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 11.3.bin.exe.10e5118.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.3.bin.exe.10e66b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.3.bin.exe.10e3430.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 12.3.warz.exe.da4e20.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 22.3.images.exe.14b3768.9.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.3.bin.exe.10e5118.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 22.3.images.exe.14b4d00.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 12.3.warz.exe.da4e20.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 22.2.images.exe.36f8490.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 13.0.rem.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 11.3.bin.exe.10e3430.1.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\images.exe, type: DROPPED Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: C:\ProgramData\images.exe, type: DROPPED Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: C:\ProgramData\images.exe, type: DROPPED Matched rule: AveMaria_WarZone Author: unknown
Source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED Matched rule: AveMaria_WarZone Author: unknown
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: AveMaria_WarZone Author: unknown
Source: C:\Users\user\AppData\Local\Temp\rem.exe, type: DROPPED Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large array initializations
Source: ori4.0dec23sta.exe.4.dr, u003cPrivateImplementationDetailsu003eu007b80ABC6D1u002dAE32u002d45A2u002d9096u002dBC397AAC86F7u007d/u00345943044u002d0066u002d44E2u002d9EC2u002dA29D8D801138.cs Large array initialization: .cctor: array initializer size 11886
Source: ori2.0dec23sta.exe.4.dr, u003cPrivateImplementationDetailsu003eu007bD1803E16u002d2E0Du002d4EFFu002d8E66u002d1BC2B45C9740u007d/u0030875DE0Cu002d18CDu002d4C1Cu002dB3D5u002dC056A3F3148B.cs Large array initialization: .cctor: array initializer size 11886
One or more processes crash
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2228
Detected potential crypto function
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Code function: 0_2_014FD43C 0_2_014FD43C
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Code function: 0_2_07818710 0_2_07818710
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Code function: 0_2_07810007 0_2_07810007
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Code function: 0_2_07810040 0_2_07810040
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Code function: 0_2_0781C068 0_2_0781C068
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_00891BF8 11_2_00891BF8
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_01031BF8 12_2_01031BF8
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_004DD426 19_2_004DD426
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_004DD523 19_2_004DD523
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_004ED5AE 19_2_004ED5AE
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_004E7646 19_2_004E7646
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_004DD6C4 19_2_004DD6C4
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_005129BE 19_2_005129BE
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_00516AF4 19_2_00516AF4
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_0053ABFC 19_2_0053ABFC
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_00533C4D 19_2_00533C4D
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_00533CBE 19_2_00533CBE
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_004DED03 19_2_004DED03
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_00533D2F 19_2_00533D2F
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_00533DC0 19_2_00533DC0
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_004DCF92 19_2_004DCF92
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_004EAFA6 19_2_004EAFA6
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_04D21D98 19_2_04D21D98
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_0050C7BC 19_2_0050C7BC
Source: C:\ProgramData\images.exe Code function: 22_2_00341BF8 22_2_00341BF8
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Code function: 23_2_008C2296 23_2_008C2296
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Code function: 23_2_012A46A0 23_2_012A46A0
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Code function: 23_2_012A4658 23_2_012A4658
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Code function: 23_2_012AD2F0 23_2_012AD2F0
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_023C9EC0 26_2_023C9EC0
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_023CCFAC 26_2_023CCFAC
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_023CB398 26_2_023CB398
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_023CEBC0 26_2_023CEBC0
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_023CB338 26_2_023CB338
PE file contains strange resources
Source: rem.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hawkstartup.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hawkstartup.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hawkstartup.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Section loaded: security.dll
Uses 32bit PE files
Source: SW0P9o9ksjpBsnr.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 22.3.images.exe.14b3768.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b3768.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b4d00.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b4d00.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.2.warz.exe.2fef490.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.2.warz.exe.2fef490.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.3.warz.exe.da4e20.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.3.warz.exe.da4e20.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.cmd.exe.32a8470.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.2.cmd.exe.32a8470.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 12.3.warz.exe.da2018.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.3.warz.exe.da2018.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.SW0P9o9ksjpBsnr.exe.45ab3f8.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.SW0P9o9ksjpBsnr.exe.45ab3f8.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14ab2f0.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14ab2f0.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.3.bin.exe.10e5118.8.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e5118.8.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b4d00.8.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b4d00.8.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e5118.8.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e5118.8.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.2.bin.exe.309d490.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.bin.exe.309d490.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 22.3.images.exe.14b3768.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b3768.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b1ef8.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b1ef8.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 22.3.images.exe.14b3768.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b3768.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 13.0.rem.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.3.warz.exe.da3888.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.3.warz.exe.da3888.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e38a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e38a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.2.hawkstartup.exe.2b9c090.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.3.bin.exe.10e66b0.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e66b0.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e5118.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e5118.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.3.warz.exe.da3888.9.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.3.warz.exe.da3888.9.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b3768.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b3768.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e5118.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e5118.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 22.3.images.exe.14b3768.9.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b3768.9.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.3.warz.exe.dba418.13.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.3.warz.exe.dba418.13.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 22.3.images.exe.14ab2f0.10.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14ab2f0.10.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.3.warz.exe.da3888.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.3.warz.exe.da3888.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 13.0.rem.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.rem.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.3.bin.exe.10e3430.9.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e3430.9.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.3.bin.exe.10e5118.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e5118.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.3.bin.exe.10e66b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e66b0.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.3.bin.exe.10e3430.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e3430.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 12.3.warz.exe.da4e20.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.3.warz.exe.da4e20.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b3768.9.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b3768.9.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.3.bin.exe.10e5118.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e5118.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 22.3.images.exe.14b4d00.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.3.images.exe.14b4d00.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.3.warz.exe.da4e20.8.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.3.warz.exe.da4e20.8.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.2.images.exe.36f8490.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 22.2.images.exe.36f8490.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 13.0.rem.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.3.bin.exe.10e3430.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.bin.exe.10e3430.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.435763826.00000000081E0000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001F.00000002.435817753.0000000008330000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000001F.00000000.389096338.00000000081E0000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.291654350.00000000009CF000.00000002.00020000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000C.00000002.311194083.000000000116F000.00000002.00020000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000C.00000003.299504412.0000000000DA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.524271296.000000000047F000.00000002.00020000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000B.00000002.525512056.00000000009CF000.00000002.00020000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000016.00000003.315134280.00000000014B2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000016.00000003.315040551.00000000014B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000003.299610781.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000C.00000000.294592566.000000000116F000.00000002.00020000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000003.295601289.00000000010E4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000001B.00000002.328741916.00000000009CF000.00000002.00020000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000000.389208484.0000000008330000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000001F.00000000.381363861.0000000008330000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000003.295697323.00000000010E4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000001B.00000000.317999053.00000000009CF000.00000002.00020000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000016.00000000.304645862.000000000047F000.00000002.00020000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000B.00000000.290450731.00000000009CF000.00000002.00020000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000C.00000000.294916604.000000000116F000.00000002.00020000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000003.299968878.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.291282105.00000000009CF000.00000002.00020000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000C.00000000.293514502.000000000116F000.00000002.00020000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000003.315520254.00000000014B2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000000.381265988.00000000081E0000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000000.290889845.00000000009CF000.00000002.00020000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.294003890.000000000116F000.00000002.00020000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\images.exe, type: DROPPED Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\ProgramData\images.exe, type: DROPPED Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\ProgramData\images.exe, type: DROPPED Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\ProgramData\images.exe, type: DROPPED Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\rem.exe, type: DROPPED Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Found potential string decryption / allocating functions
Source: C:\ProgramData\images.exe Code function: String function: 003335E5 appears 40 times
Source: C:\ProgramData\images.exe Code function: String function: 00340969 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: String function: 0051BA9D appears 35 times
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: String function: 00890969 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: String function: 008835E5 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: String function: 010235E5 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: String function: 01030969 appears 47 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_0219B0BA NtQuerySystemInformation, 26_2_0219B0BA
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_0219B089 NtQuerySystemInformation, 26_2_0219B089
PE file contains executable resources (Code or Archives)
Source: bin.exe.4.dr Static PE information: Resource name: WM_DSP type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: warz.exe.4.dr Static PE information: Resource name: WM_DSP type: PE32 executable (GUI) Intel 80386, for MS Windows
Sample file is different than original file name gathered from version info
Source: SW0P9o9ksjpBsnr.exe Binary or memory string: OriginalFilename vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.295088311.00000000074B0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.295794287.0000000008DD0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenamePrivateBinPath.dll" vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.273722749.00000000048B6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dllF vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287855633.0000000002C91000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePrivateBinPath.dll" vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000003.272239056.0000000003EB6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dllF vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGAx vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGx vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe Binary or memory string: OriginalFilename vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.307369542.00000000045AC000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.315881747.0000000003ECD000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.330768411.0000000004525000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.329717962.0000000003E61000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.309595356.0000000003ECE000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.313272509.0000000003E61000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.313272509.0000000003E61000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.286683979.0000000003E61000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.286683979.0000000003E61000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.315166060.0000000003ECD000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.286824707.0000000003ECC000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.328524290.00000000044B8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.328524290.00000000044B8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLrvTWAzeTzfPFEDllDLIdLNy.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameXENcVtTmqIhqwXvIDugCtb.exe4 vs SW0P9o9ksjpBsnr.exe
Source: SW0P9o9ksjpBsnr.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SW0P9o9ksjpBsnr.exe.log Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@46/115@17/5
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 11_2_0088D49C
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_008930A7 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA, 11_2_008930A7
Source: C:\Users\user\AppData\Local\Temp\bin.exe File created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: SW0P9o9ksjpBsnr.exe ReversingLabs: Detection: 53%
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe "C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe"
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe
Source: C:\Windows\System32\BackgroundTransferHost.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe" 0
Source: C:\Windows\System32\BackgroundTransferHost.exe Process created: C:\Users\user\AppData\Local\Temp\warz.exe "C:\Users\user\AppData\Local\Temp\warz.exe" 0
Source: C:\Windows\System32\BackgroundTransferHost.exe Process created: C:\Users\user\AppData\Local\Temp\rem.exe "C:\Users\user\AppData\Local\Temp\rem.exe" 0
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\warz.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\System32\BackgroundTransferHost.exe Process created: C:\Users\user\AppData\Local\Temp\hawkstartup.exe "C:\Users\user\AppData\Local\Temp\hawkstartup.exe" 0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\warz.exe Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\Windows\System32\BackgroundTransferHost.exe Process created: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe "C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe" 0
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\System32\BackgroundTransferHost.exe Process created: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe "C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe" 0
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe"
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2228
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: C:\Windows\System32\BackgroundTransferHost.exe Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: unknown Process created: C:\Users\user\AppData\Roaming\100\100.exe "C:\Users\user\AppData\Roaming\100\100.exe"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 2232
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 2232
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\100\100.exe "C:\Users\user\AppData\Roaming\100\100.exe"
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe" 0 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Users\user\AppData\Local\Temp\warz.exe "C:\Users\user\AppData\Local\Temp\warz.exe" 0 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Users\user\AppData\Local\Temp\rem.exe "C:\Users\user\AppData\Local\Temp\rem.exe" 0 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Users\user\AppData\Local\Temp\hawkstartup.exe "C:\Users\user\AppData\Local\Temp\hawkstartup.exe" 0 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe "C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe" 0 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe "C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe" 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\warz.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\warz.exe Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 11_2_0088F619
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_0102F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 12_2_0102F619
Source: C:\ProgramData\images.exe Code function: 22_2_0033F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 22_2_0033F619
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_0219AF3E AdjustTokenPrivileges, 26_2_0219AF3E
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_0219AF07 AdjustTokenPrivileges, 26_2_0219AF07
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe File created: C:\Users\user\AppData\Local\Temp\bin.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0089290F CoInitialize,CoCreateInstance,VariantInit,CoUninitialize, 11_2_0089290F
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_008920B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 11_2_008920B8
Source: hawkstartup.exe.4.dr, Form1.cs Base64 encoded string: 'qTd8VQLAEkmZh9T1lwAg4vNn/06IIYj2+rg5JeHdokwzD7YTfxMi/o4Nmen2Wic0', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\rem.exe Mutant created: \Sessions\1\BaseNamedObjects\Remcos-G9IQ8F
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_01
Source: ori4.0dec23sta.exe.4.dr, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: ori4.0dec23sta.exe.4.dr, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: hawkstartup.exe.4.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: hawkstartup.exe.4.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: hawkstartup.exe.4.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: hawkstartup.exe.4.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SW0P9o9ksjpBsnr.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
Source: SW0P9o9ksjpBsnr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\AppData\Local\Temp\bin.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: SW0P9o9ksjpBsnr.exe Static file information: File size 2203648 > 1048576
Source: SW0P9o9ksjpBsnr.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x219600
Source: SW0P9o9ksjpBsnr.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, hawkstartup.exe, 00000013.00000002.332921599.0000000002B31000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, hawkstartup.exe, hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: SW0P9o9ksjpBsnr.exe, SettlersOfCatan/SettlersStartScreen.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.SW0P9o9ksjpBsnr.exe.800000.0.unpack, SettlersOfCatan/SettlersStartScreen.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.SW0P9o9ksjpBsnr.exe.800000.0.unpack, SettlersOfCatan/SettlersStartScreen.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: hawkstartup.exe.4.dr, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: hawkstartup.exe.4.dr, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: hawkstartup.exe.4.dr, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: hawkstartup.exe.4.dr, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.SW0P9o9ksjpBsnr.exe.f60000.7.unpack, SettlersOfCatan/SettlersStartScreen.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.SW0P9o9ksjpBsnr.exe.f60000.11.unpack, SettlersOfCatan/SettlersStartScreen.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.SW0P9o9ksjpBsnr.exe.f60000.5.unpack, SettlersOfCatan/SettlersStartScreen.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.SW0P9o9ksjpBsnr.exe.f60000.3.unpack, SettlersOfCatan/SettlersStartScreen.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.SW0P9o9ksjpBsnr.exe.f60000.15.unpack, SettlersOfCatan/SettlersStartScreen.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.SW0P9o9ksjpBsnr.exe.f60000.2.unpack, SettlersOfCatan/SettlersStartScreen.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.SW0P9o9ksjpBsnr.exe.f60000.1.unpack, SettlersOfCatan/SettlersStartScreen.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Code function: 0_2_00802FA3 push ds; iretd 0_2_00802FA4
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Code function: 0_2_008029FC push ecx; ret 0_2_00802A27
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Code function: 0_2_0781AE90 pushfd ; ret 0_2_0781AED5
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Code function: 4_2_00F629FC push ecx; ret 4_2_00F62A27
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Code function: 4_2_00F62FA3 push ds; iretd 4_2_00F62FA4
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_00881190 push eax; ret 11_2_008811A4
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_00881190 push eax; ret 11_2_008811CC
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_01021190 push eax; ret 12_2_010211A4
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_01021190 push eax; ret 12_2_010211CC
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_00540712 push eax; ret 19_2_00540726
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_00540712 push eax; ret 19_2_0054074E
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_0051B87E push ecx; ret 19_2_0051B88E
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_0051BA9D push eax; ret 19_2_0051BAB1
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_0051BA9D push eax; ret 19_2_0051BAD9
Source: C:\ProgramData\images.exe Code function: 22_2_00331190 push eax; ret 22_2_003311A4
Source: C:\ProgramData\images.exe Code function: 22_2_00331190 push eax; ret 22_2_003311CC
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Code function: 23_2_012A441C push ss; retf 23_2_012A4426
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Code function: 23_2_012A3567 push ss; retf 23_2_012A3572
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_021924C4 push esi; ret 26_2_021924DE
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_0219296C push cs; ret 26_2_021929A6
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_0229092F pushfd ; retf 26_2_02290B53
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_02291CA2 pushfd ; retf 26_2_02291CA3
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_02291AB8 pushfd ; retf 26_2_02291C23
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_02291CBC pushfd ; retf 26_2_02291CCB
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_02291A0C pushfd ; ret 26_2_02291A2B
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_022905CF pushfd ; ret 26_2_022905D3
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_022919D0 pushfd ; retf 26_2_022919E3
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088FA42 LoadLibraryA,GetProcAddress, 11_2_0088FA42

Persistence and Installation Behavior:

barindex
Contains functionality to create new users
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088D418 NetUserAdd,NetLocalGroupAddMembers, 11_2_0088D418
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\warz.exe File created: C:\ProgramData\images.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe File created: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\warz.exe File created: C:\ProgramData\images.exe Jump to dropped file
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe File created: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Jump to dropped file
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe File created: C:\Users\user\AppData\Local\Temp\bin.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe File created: C:\Users\user\AppData\Roaming\Windows Update.exe Jump to dropped file
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe File created: C:\Users\user\AppData\Local\Temp\warz.exe Jump to dropped file
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe File created: C:\Users\user\AppData\Local\Temp\rem.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe File created: C:\Users\user\AppData\Roaming\100\100.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe File created: C:\Users\user\AppData\Local\Temp\tmpG759.tmp (copy) Jump to dropped file
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe File created: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_008827D3 URLDownloadToFileW,ShellExecuteW, 11_2_008827D3
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 11_2_0088AC0A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 11_2_0088A6C8
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_0102AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 12_2_0102AC0A
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_0102A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 12_2_0102A6C8
Source: C:\ProgramData\images.exe Code function: 22_2_0033AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 22_2_0033AC0A
Source: C:\ProgramData\images.exe Code function: 22_2_0033A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 22_2_0033A6C8

Boot Survival:

barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 100
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 100
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 100
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 11_2_0088D508

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Local\Temp\bin.exe File opened: C:\Users\user\AppData\Local\Temp\bin.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\warz.exe File opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe File opened: C:\Users\user\AppData\Roaming\100\100.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe File opened: C:\Users\user\AppData\Roaming\100\100.exe:Zone.Identifier read attributes | delete
Contains functionality to hide user accounts
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.294966162.00000000018CC000.00000004.00000001.sdmp String found in binary or memory: ! UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType9 "@
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.284923646.0000000001893000.00000004.00000001.sdmp String found in binary or memory: ! UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType9 "@
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.291709456.0000000004593000.00000004.00000001.sdmp String found in binary or memory: ! UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType9 "@
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.286875051.0000000001893000.00000004.00000001.sdmp String found in binary or memory: ! UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType9 "@
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp String found in binary or memory: ! UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType9 "@
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.314218745.0000000001903000.00000004.00000001.sdmp String found in binary or memory: ! UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType9 "@
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000003.324999984.0000000001904000.00000004.00000001.sdmp String found in binary or memory: ! UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType9 "@
Source: bin.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: bin.exe, 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: bin.exe, 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: bin.exe, 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: bin.exe, 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: bin.exe, 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: bin.exe, 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: bin.exe, 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: bin.exe, 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: bin.exe, 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: bin.exe, 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: bin.exe, 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: bin.exe, 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: warz.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: warz.exe, 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: warz.exe, 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: warz.exe, 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: warz.exe, 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: warz.exe, 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: warz.exe, 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: warz.exe, 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: warz.exe, 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: images.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: images.exe, 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: images.exe, 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe, 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rem.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rem.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Function Chain: systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,memAlloc,threadDelayed,threadDelayed,processSet,processSet,processSet,processSet,threadDelayed,fileCreated,processSet,processSet
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe TID: 3752 Thread sleep time: -33730s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe TID: 5796 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe TID: 6484 Thread sleep count: 60 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe TID: 6484 Thread sleep time: -65000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\warz.exe TID: 6548 Thread sleep count: 60 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rem.exe TID: 6756 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rem.exe TID: 6752 Thread sleep count: 82 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rem.exe TID: 6752 Thread sleep time: -49200000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6884 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6744 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 6928 Thread sleep count: 826 > 30
Source: C:\Windows\SysWOW64\cmd.exe TID: 6928 Thread sleep time: -9912000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6980 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6936 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe TID: 6984 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe TID: 6972 Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\images.exe TID: 6828 Thread sleep count: 60 > 30
Source: C:\ProgramData\images.exe TID: 6828 Thread sleep time: -65000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe TID: 6284 Thread sleep time: -21213755684765971s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe TID: 6288 Thread sleep count: 5580 > 30
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe TID: 6288 Thread sleep count: 4155 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6464 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe TID: 4460 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe TID: 4460 Thread sleep count: 133 > 30
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe TID: 4460 Thread sleep time: -3990000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe TID: 2892 Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe TID: 4460 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe TID: 4736 Thread sleep count: 321 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\images.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Last function: Thread delayed
Contains functionality to enumerate running services
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW, 11_2_0088DA5B
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW, 12_2_0102DA5B
Source: C:\ProgramData\images.exe Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW, 22_2_0033DA5B
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rem.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5042 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 638 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 826
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4975
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 391
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Window / User API: threadDelayed 5580
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Window / User API: threadDelayed 4155
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7025
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1326
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Thread delayed: delay time: 33730 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rem.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0089002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, 11_2_0089002B
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmp Binary or memory string: vmware
Source: bin.exe, 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, bin.exe, 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, bin.exe, 0000000B.00000002.530516262.00000000010D8000.00000004.00000020.sdmp, bin.exe, 0000000B.00000003.295910913.00000000010D8000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: ori4.0dec23sta.exe, 00000017.00000002.540819805.0000000006720000.00000004.00000001.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.541875355.00000000056D0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.287902028.0000000002CDD000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_00889DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 11_2_00889DF6
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088FF27 FindFirstFileW,FindNextFileW, 11_2_0088FF27
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_01029DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 12_2_01029DF6
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_0102FF27 FindFirstFileW,FindNextFileW, 12_2_0102FF27
Source: C:\ProgramData\images.exe Code function: 22_2_00339DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 22_2_00339DF6
Source: C:\ProgramData\images.exe Code function: 22_2_0033FF27 FindFirstFileW,FindNextFileW, 22_2_0033FF27

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088FA42 LoadLibraryA,GetProcAddress, 11_2_0088FA42
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0089094E mov eax, dword ptr fs:[00000030h] 11_2_0089094E
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_00890619 mov eax, dword ptr fs:[00000030h] 11_2_00890619
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_00890620 mov eax, dword ptr fs:[00000030h] 11_2_00890620
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_0103094E mov eax, dword ptr fs:[00000030h] 12_2_0103094E
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_01030619 mov eax, dword ptr fs:[00000030h] 12_2_01030619
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_01030620 mov eax, dword ptr fs:[00000030h] 12_2_01030620
Source: C:\ProgramData\images.exe Code function: 22_2_0034094E mov eax, dword ptr fs:[00000030h] 22_2_0034094E
Source: C:\ProgramData\images.exe Code function: 22_2_00340620 mov eax, dword ptr fs:[00000030h] 22_2_00340620
Source: C:\ProgramData\images.exe Code function: 22_2_00340619 mov eax, dword ptr fs:[00000030h] 22_2_00340619
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_00881085 GetProcessHeap,RtlAllocateHeap, 11_2_00881085
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Process token adjusted: Debug
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Code function: 26_2_023C4E62 LdrInitializeThunk, 26_2_023C4E62
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\bin.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 31E0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 3270000 protect: page read and write Jump to behavior
Source: C:\ProgramData\images.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 2390000 protect: page execute and read and write
Source: C:\ProgramData\images.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 23A0000 protect: page read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Memory written: C:\Windows\System32\BackgroundTransferHost.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Thread created: C:\Windows\SysWOW64\cmd.exe EIP: 31E010E Jump to behavior
Source: C:\ProgramData\images.exe Thread created: C:\Windows\SysWOW64\cmd.exe EIP: 239010E
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: C:\Users\user\AppData\Local\Temp\warz.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Source: C:\Users\user\AppData\Local\Temp\bin.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\warz.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\ Jump to behavior
Source: C:\ProgramData\images.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Memory written: C:\Windows\System32\BackgroundTransferHost.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Memory written: C:\Windows\System32\BackgroundTransferHost.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Memory written: C:\Windows\System32\BackgroundTransferHost.exe base: 403000 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Memory written: C:\Windows\System32\BackgroundTransferHost.exe base: 13BB008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 31E0000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 3270000 Jump to behavior
Source: C:\ProgramData\images.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 2390000
Source: C:\ProgramData\images.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 23A0000
.NET source code references suspicious native API functions
Source: ori4.0dec23sta.exe.4.dr, A/b2.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: hawkstartup.exe.4.dr, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: hawkstartup.exe.4.dr, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: ori2.0dec23sta.exe.4.dr, A/b2.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Contains functionality to inject threads in other processes
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_00891FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 11_2_00891FD8
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_008879E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 11_2_008879E8
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_010279E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 12_2_010279E8
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: 12_2_01031FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 12_2_01031FD8
Source: C:\ProgramData\images.exe Code function: 22_2_00341FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 22_2_00341FD8
Source: C:\ProgramData\images.exe Code function: 22_2_003379E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 22_2_003379E8
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe 11_2_008920B8
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe 12_2_010320B8
Source: C:\ProgramData\images.exe Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe 22_2_003420B8
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Users\user\AppData\Local\Temp\bin.exe "C:\Users\user\AppData\Local\Temp\bin.exe" 0 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Users\user\AppData\Local\Temp\warz.exe "C:\Users\user\AppData\Local\Temp\warz.exe" 0 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Users\user\AppData\Local\Temp\rem.exe "C:\Users\user\AppData\Local\Temp\rem.exe" 0 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Users\user\AppData\Local\Temp\hawkstartup.exe "C:\Users\user\AppData\Local\Temp\hawkstartup.exe" 0 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe "C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe" 0 Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Process created: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe "C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe" 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid, 11_2_0088F56D
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_008918BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError, 11_2_008918BA
Source: bin.exe, 0000000B.00000002.531576321.0000000001730000.00000002.00020000.sdmp, cmd.exe, 0000000F.00000002.529850717.0000000004050000.00000002.00020000.sdmp, images.exe, 00000016.00000002.529035079.0000000001D10000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.533860532.0000000001660000.00000002.00020000.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.532548189.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: bin.exe, 0000000B.00000002.531576321.0000000001730000.00000002.00020000.sdmp, cmd.exe, 0000000F.00000002.529850717.0000000004050000.00000002.00020000.sdmp, images.exe, 00000016.00000002.529035079.0000000001D10000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.533860532.0000000001660000.00000002.00020000.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.532548189.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Progman
Source: bin.exe, 0000000B.00000002.531576321.0000000001730000.00000002.00020000.sdmp, cmd.exe, 0000000F.00000002.529850717.0000000004050000.00000002.00020000.sdmp, images.exe, 00000016.00000002.529035079.0000000001D10000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.533860532.0000000001660000.00000002.00020000.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.532548189.0000000000D80000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: bin.exe, 0000000B.00000002.531576321.0000000001730000.00000002.00020000.sdmp, cmd.exe, 0000000F.00000002.529850717.0000000004050000.00000002.00020000.sdmp, images.exe, 00000016.00000002.529035079.0000000001D10000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.533860532.0000000001660000.00000002.00020000.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.532548189.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: bin.exe, 0000000B.00000002.531576321.0000000001730000.00000002.00020000.sdmp, cmd.exe, 0000000F.00000002.529850717.0000000004050000.00000002.00020000.sdmp, images.exe, 00000016.00000002.529035079.0000000001D10000.00000002.00020000.sdmp, ori4.0dec23sta.exe, 00000017.00000002.533860532.0000000001660000.00000002.00020000.sdmp, ori2.0dec23sta.exe, 0000001A.00000002.532548189.0000000000D80000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Queries volume information: unknown VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088F93F cpuid 11_2_0088F93F
Source: C:\Users\user\Desktop\SW0P9o9ksjpBsnr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: 11_2_0088882F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,GetLocalTime,wsprintfW,lstrcatW,CreateFileW,CloseHandle,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA, 11_2_0088882F

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Increases the number of concurrent connection per server for Internet Explorer
Source: C:\Users\user\AppData\Local\Temp\bin.exe Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10 Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected MailPassView
Source: Yara match File source: 19.2.hawkstartup.exe.52fa72.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.433914627.00000000047A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.357769555.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.378931650.00000000047A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.356939795.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000000.357301492.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.386194733.00000000047A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.364309945.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: hawkstartup.exe PID: 6776, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Yara detected HawkEye Keylogger
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: hawkstartup.exe PID: 6776, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Yara detected AgentTesla
Source: Yara match File source: 26.0.ori2.0dec23sta.exe.d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.0.ori2.0dec23sta.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.0.ori2.0dec23sta.exe.d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.ori4.0dec23sta.exe.8c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.ori4.0dec23sta.exe.8c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.ori4.0dec23sta.exe.8c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.ori4.0dec23sta.exe.8c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.ori2.0dec23sta.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.ori4.0dec23sta.exe.8c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.0.ori2.0dec23sta.exe.d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.423572403.0000000000552000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.315881747.0000000003ECD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.364545271.00000000056D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.309595356.0000000003ECE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.387431044.0000000000682000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.429550823.0000000000682000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.322486737.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.324705647.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.523856737.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.317498484.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.313041784.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.523672410.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.523858136.0000000000552000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.317967503.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.311207048.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.311917188.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\100\100.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe, type: DROPPED
Source: Yara match File source: 00000004.00000003.307369542.00000000045AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.330768411.0000000004525000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.329717962.0000000003E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.313272509.0000000003E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.286683979.0000000003E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.315166060.0000000003ECD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.535180538.0000000002961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.286824707.0000000003ECC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.328524290.00000000044B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.432258770.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ori4.0dec23sta.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ori2.0dec23sta.exe PID: 7112, type: MEMORYSTR
Yara detected Remcos RAT
Source: Yara match File source: 13.0.rem.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.rem.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.rem.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.rem.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.296555205.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.297395374.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.298936574.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.298035428.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rem.exe PID: 6564, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\rem.exe, type: DROPPED
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.291260710.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293488925.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.300135911.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.328585434.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.317967942.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.290415827.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.315866343.000000000149C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.314784536.00000000014A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.290858967.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.300261604.0000000000D8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.299137914.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.294897016.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293955227.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\images.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Contains functionality to steal e-mail passwords
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: POP3 Password 11_2_0088A29A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: SMTP Password 11_2_0088A29A
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: IMAP Password 11_2_0088A29A
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: POP3 Password 12_2_0102A29A
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: SMTP Password 12_2_0102A29A
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: IMAP Password 12_2_0102A29A
Source: C:\ProgramData\images.exe Code function: POP3 Password 22_2_0033A29A
Source: C:\ProgramData\images.exe Code function: SMTP Password 22_2_0033A29A
Source: C:\ProgramData\images.exe Code function: IMAP Password 22_2_0033A29A
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d9c0d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.433914627.00000000047A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.378931650.00000000047A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.377528498.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.360954968.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.361387046.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.386194733.00000000047A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.359702071.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: hawkstartup.exe PID: 6776, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: \Google\Chrome\User Data\Default\Login Data 11_2_0088C1B2
Source: C:\Users\user\AppData\Local\Temp\bin.exe Code function: \Chromium\User Data\Default\Login Data 11_2_0088C1B2
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: \Google\Chrome\User Data\Default\Login Data 12_2_0102C1B2
Source: C:\Users\user\AppData\Local\Temp\warz.exe Code function: \Chromium\User Data\Default\Login Data 12_2_0102C1B2
Source: C:\ProgramData\images.exe Code function: \Google\Chrome\User Data\Default\Login Data 22_2_0033C1B2
Source: C:\ProgramData\images.exe Code function: \Chromium\User Data\Default\Login Data 22_2_0033C1B2
Yara detected Credential Stealer
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.291260710.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293488925.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.300135911.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.328585434.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.317967942.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.290415827.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.315866343.000000000149C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.314784536.00000000014A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.290858967.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.300261604.0000000000D8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.535180538.0000000002961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.299137914.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.432258770.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.294897016.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293955227.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bin.exe PID: 6480, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: warz.exe PID: 6544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: images.exe PID: 6824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ori4.0dec23sta.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ori2.0dec23sta.exe PID: 7112, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\images.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED

Remote Access Functionality:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.52fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d9c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.52fa72.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.hawkstartup.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.hawkstartup.exe.4d8208.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.429395499.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.329135760.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.375010031.0000000000632000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.328533797.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.374311123.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.363080383.0000000006F7A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.323573153.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.302582186.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.304045039.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.331424060.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000002.429309545.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.384358541.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.431803331.00000000037A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.326251064.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000002D.00000000.405080037.0000000000E82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.369552203.0000000000632000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.305406305.00000000004D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.371692266.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.382113239.0000000000F42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: hawkstartup.exe PID: 6776, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Yara detected AgentTesla
Source: Yara match File source: 26.0.ori2.0dec23sta.exe.d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.0.ori2.0dec23sta.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.0.ori2.0dec23sta.exe.d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.ori4.0dec23sta.exe.8c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.ori4.0dec23sta.exe.8c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.ori4.0dec23sta.exe.8c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.ori4.0dec23sta.exe.8c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.ori2.0dec23sta.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.ori4.0dec23sta.exe.8c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.0.ori2.0dec23sta.exe.d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000000.312592775.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.423572403.0000000000552000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.315881747.0000000003ECD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.364545271.00000000056D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.309595356.0000000003ECE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000000.387431044.0000000000682000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.429550823.0000000000682000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.322486737.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.324705647.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.523856737.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.317498484.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.313041784.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.523672410.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.523858136.0000000000552000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000000.317967503.00000000000D2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.311207048.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000000.311917188.00000000008C2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\100\100.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ori2.0dec23sta.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ori4.0dec23sta.exe, type: DROPPED
Source: Yara match File source: 00000004.00000003.307369542.00000000045AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.330768411.0000000004525000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.329717962.0000000003E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.535498447.0000000002D41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.313272509.0000000003E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.286683979.0000000003E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.315166060.0000000003ECD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.535180538.0000000002961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.286824707.0000000003ECC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.328524290.00000000044B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.325603575.0000000004481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.432258770.0000000002A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.534940156.0000000002721000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ori4.0dec23sta.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ori2.0dec23sta.exe PID: 7112, type: MEMORYSTR
Yara detected Remcos RAT
Source: Yara match File source: 13.0.rem.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.rem.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.rem.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.rem.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.296555205.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.297395374.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.298936574.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.298035428.0000000000454000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 5468, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SW0P9o9ksjpBsnr.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rem.exe PID: 6564, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\rem.exe, type: DROPPED
Detected HawkEye Rat
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: hawkstartup.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: hawkstartup.exe String found in binary or memory: HawkEyeKeylogger
Source: hawkstartup.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: hawkstartup.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: hawkstartup.exe, 00000013.00000000.303483748.00000000004D2000.00000002.00020000.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: hawkstartup.exe, 00000013.00000002.332921599.0000000002B31000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.warz.exe.1020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.images.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.3290000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.bin.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.images.exe.330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.bin.exe.880000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.41b62f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.0.warz.exe.1020000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.3290000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.SW0P9o9ksjpBsnr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.41b62f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.4031bf.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.SW0P9o9ksjpBsnr.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e95f28.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SW0P9o9ksjpBsnr.exe.3e980e7.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.295733640.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.294569462.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.524091426.0000000000344000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.295896513.00000000010CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.291633552.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.291260710.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.295581021.00000000010D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.533537328.00000000036E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.291798891.0000000004593000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293488925.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.304556285.0000000000344000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.312181908.0000000002FD7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.300135911.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.305332768.0000000000DA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.328585434.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.525142353.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.528296094.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.310994580.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.317967942.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.290415827.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.331007684.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.282034651.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.533158869.0000000003085000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.315866343.000000000149C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.528440483.0000000003290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.314784536.00000000014A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.290858967.0000000000894000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.300261604.0000000000D8C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.299137914.0000000000D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.294897016.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.293955227.0000000001034000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.331133641.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\ProgramData\images.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\warz.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\bin.exe, type: DROPPED
Detected Remcos RAT
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp String found in binary or memory: Remcos_Mutex_Inj
Source: SW0P9o9ksjpBsnr.exe, 00000000.00000002.289270631.0000000003C99000.00000004.00000001.sdmp String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov|
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp String found in binary or memory: Remcos_Mutex_Inj
Source: SW0P9o9ksjpBsnr.exe, 00000004.00000000.283855450.0000000000403000.00000040.00000001.sdmp String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov|
Source: rem.exe, 0000000D.00000000.296555205.0000000000454000.00000002.00020000.sdmp String found in binary or memory: Remcos_Mutex_Inj
Source: rem.exe, 0000000D.00000000.296555205.0000000000454000.00000002.00020000.sdmp String found in binary or memory: fso.DeleteFolder "\update.vbsCreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)Unknown exceptionbad castbad locale name: genericiostreamiostream stream errorios_base::badbit setios_base::failbit setios_base::eofbit setlicense_code.txtSoftware\ExeWDRemcos_Mutex_InjInjProductName (64 bit) (32 bit)licenceRemcos Agent initializedUserAccess Level: AdministratorGetModuleFileNameExAPsapi.dllKernel32.dllGetModuleFileNameExWNtUnmapViewOfSectionntdll.dllGlobalMemoryStatusExkernel32.dllIsWow64Processkernel32GetComputerNameExWIsUserAnAdminShell32SetProcessDEPPolicyEnumDisplayDevicesWuser32EnumDisplayMonitorsGetMonitorInfoWShlwapi.dll1Program Files\Program Files (x86)\overridepth_unenc3.3.2 Prov|
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_04DA0E9E bind, 19_2_04DA0E9E
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_04DA0A8E listen, 19_2_04DA0A8E
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_04DA0A50 listen, 19_2_04DA0A50
Source: C:\Users\user\AppData\Local\Temp\hawkstartup.exe Code function: 19_2_04DA0E6B bind, 19_2_04DA0E6B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 547727 Sample: SW0P9o9ksjpBsnr.exe Startdate: 04/01/2022 Architecture: WINDOWS Score: 100 71 whatismyipaddress.com 104.16.155.36, 49765, 80 CLOUDFLARENETUS United States 2->71 73 smtp.privateemail.com 66.29.159.53, 49792, 49795, 49797 ADVANTAGECOMUS United States 2->73 75 3 other IPs or domains 2->75 81 Malicious sample detected (through community Yara rule) 2->81 83 Antivirus detection for dropped file 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 22 other signatures 2->87 10 SW0P9o9ksjpBsnr.exe 3 2->10         started        signatures3 process4 file5 69 C:\Users\user\...\SW0P9o9ksjpBsnr.exe.log, ASCII 10->69 dropped 115 Writes to foreign memory regions 10->115 117 Injects a PE file into a foreign processes 10->117 14 BackgroundTransferHost.exe 13 10->14         started        16 SW0P9o9ksjpBsnr.exe 7 10->16         started        signatures6 process7 file8 19 warz.exe 1 4 14->19         started        23 bin.exe 4 2 14->23         started        25 ori2.0dec23sta.exe 14->25         started        28 3 other processes 14->28 47 C:\Users\user\AppData\Local\Temp\warz.exe, PE32 16->47 dropped 49 C:\Users\user\AppData\Local\Temp\rem.exe, PE32 16->49 dropped 51 C:\Users\user\AppData\...\ori4.0dec23sta.exe, PE32 16->51 dropped 53 3 other malicious files 16->53 dropped process9 dnsIp10 55 C:\ProgramData\images.exe, PE32 19->55 dropped 89 Antivirus detection for dropped file 19->89 91 Multi AV Scanner detection for dropped file 19->91 93 Machine Learning detection for dropped file 19->93 95 Adds a directory exclusion to Windows Defender 19->95 30 images.exe 19->30         started        33 powershell.exe 19->33         started        97 Contains functionality to inject threads in other processes 23->97 99 Contains functionality to steal Chrome passwords or cookies 23->99 101 Contains functionality to steal e-mail passwords 23->101 111 4 other signatures 23->111 35 powershell.exe 25 23->35         started        37 cmd.exe 23->37         started        77 smtp.privateemail.com 25->77 57 C:\Users\user\AppData\Roaming\100\100.exe, PE32 25->57 dropped 59 C:\Users\user\AppData\...\tmpG223.tmp (copy), PE32 25->59 dropped 103 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->103 105 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 25->105 107 Creates autostart registry keys with suspicious names 25->107 113 2 other signatures 25->113 79 185.157.161.174, 1975, 49756, 49757 OBE-EUROPEObenetworkEuropeSE Sweden 28->79 61 C:\Users\user\AppData\...\Windows Update.exe, PE32 28->61 dropped 63 C:\Users\user\AppData\...\100.exe (copy), PE32 28->63 dropped 65 C:\Users\user\AppData\...\tmpG759.tmp (copy), PE32 28->65 dropped 67 C:\Users\user\AppData\...\hawkstartup.exe.log, ASCII 28->67 dropped 109 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->109 file11 signatures12 process13 signatures14 119 Antivirus detection for dropped file 30->119 121 Multi AV Scanner detection for dropped file 30->121 123 Machine Learning detection for dropped file 30->123 125 7 other signatures 30->125 39 powershell.exe 30->39         started        41 conhost.exe 33->41         started        43 conhost.exe 35->43         started        45 conhost.exe 37->45         started        process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.157.161.174
 unknown Sweden
197595 OBE-EUROPEObenetworkEuropeSE true
104.16.155.36
 whatismyipaddress.com United States
13335 CLOUDFLARENETUS false
66.29.159.53
 smtp.privateemail.com United States
19538 ADVANTAGECOMUS false

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
whatismyipaddress.com 104.16.155.36 true
smtp.privateemail.com 66.29.159.53 true
9.96.11.0.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://whatismyipaddress.com/ false
    		high