Windows Analysis Report
RIP_YOUR_PC_LOL.exe

Overview

General Information

Sample Name: RIP_YOUR_PC_LOL.exe
Analysis ID: 585264
MD5: 52867174362410d63215d78e708103ea
SHA1: 7ae4e1048e4463a4201bdeaf224c5b6face681bf
SHA256: 37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
Tags: exe
Infos:

Detection

HawkEye Nanocore njRat AsyncRAT Azorult DCRat Ficker Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected RedLine Stealer
Yara detected MailPassView
Yara detected HawkEye Keylogger
Sigma detected: NanoCore
Yara detected AntiVM3
Yara detected Azorult Info Stealer
Detected Nanocore Rat
Yara detected AsyncRAT
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Yara detected Nanocore RAT
Yara detected DCRat
Yara detected Generic Dropper
Yara detected Azorult
Multi AV Scanner detection for submitted file
Detected njRat
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Yara detected Mimikatz
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Yara detected Ficker Stealer
Sigma detected: Suspicius Schtasks From Env Var Folder
Sigma detected: System File Execution Location Anomaly
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Sample uses process hollowing technique
Sigma detected: File Created with System Process Name
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Yara detected WebBrowserPassView password recovery tool
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the windows firewall
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: CurrentVersion Autorun Keys Modification
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Sigma detected: Suspicious Add Scheduled Task Parent
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates or modifies windows services
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sigma detected: Autorun Keys Modification

Classification

AV Detection

barindex
Source: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\Opus.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\Users\user\AppData\Roaming\mediaget.exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Roaming\___11.19.exe Avira: detection malicious, Label: TR/Dropper.GR
Source: C:\Users\user\AppData\Roaming\___11.19.exe Avira: detection malicious, Label: TR/Agent.aagt
Source: C:\Users\user\AppData\Roaming\healastounding.exe Avira: detection malicious, Label: TR/AD.RedLineSteal.cjshc
Source: C:\Users\user\AppData\Roaming\healastounding.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe Avira: detection malicious, Label: TR/AD.MalwareCrypter.rrsdk
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen7
Source: C:\Windows\Help\active_desktop_render.dll Avira: detection malicious, Label: HEUR/AGEN.1245024
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Roaming\gay.exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\22.exe Avira: detection malicious, Label: HEUR/AGEN.1227810
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Windows\Cursors\WUDFhosts.exe Avira: detection malicious, Label: HEUR/AGEN.1213003
Source: C:\Users\user\AppData\Roaming\a.exe Avira: detection malicious, Label: TR/AD.RedLineSteal.cjshc
Source: C:\Users\user\AppData\Roaming\3.exe Avira: detection malicious, Label: HEUR/AGEN.1203070
Source: C:\Users\user\AppData\Roaming\test.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Roaming\aaa.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: Yara match File source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
Source: Yara match File source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.567040014.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.579383399.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.461250332.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.674377761.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.673042782.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Opus.exe PID: 3244, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
Source: RIP_YOUR_PC_LOL.exe Virustotal: Detection: 63% Perma Link
Source: RIP_YOUR_PC_LOL.exe Metadefender: Detection: 33% Perma Link
Source: RIP_YOUR_PC_LOL.exe ReversingLabs: Detection: 73%
Source: Yara match File source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
Source: Yara match File source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000000.507357595.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000000.627731740.00000000007A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.548907669.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.610238464.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.552899490.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: gay.exe PID: 1104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mediaget.exe PID: 4688, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\gay.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\mediaget.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
Source: RIP_YOUR_PC_LOL.exe Avira: detected
Source: RIP_YOUR_PC_LOL.exe Avira: detected
Source: RIP_YOUR_PC_LOL.exe Avira: detected
Source: RIP_YOUR_PC_LOL.exe Avira: detected
Source: RIP_YOUR_PC_LOL.exe Avira: detected
Source: RIP_YOUR_PC_LOL.exe Avira: detected
Source: RIP_YOUR_PC_LOL.exe Avira: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Metadefender: Detection: 85% Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe Metadefender: Detection: 29% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe ReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe Metadefender: Detection: 29% Perma Link
Source: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe ReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe Metadefender: Detection: 29% Perma Link
Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\22.exe Metadefender: Detection: 38% Perma Link
Source: C:\Users\user\AppData\Roaming\22.exe ReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Roaming\3.exe Metadefender: Detection: 47% Perma Link
Source: C:\Users\user\AppData\Roaming\3.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Roaming\4.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe Metadefender: Detection: 26% Perma Link
Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe ReversingLabs: Detection: 85%
Source: RIP_YOUR_PC_LOL.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Opus.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\mediaget.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\___11.19.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\healastounding.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Joe Sandbox ML: detected
Source: C:\Windows\Help\active_desktop_render.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\gay.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\22.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Joe Sandbox ML: detected
Source: C:\Windows\Cursors\WUDFhosts.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\a.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\3.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\test.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\aaa.exe Joe Sandbox ML: detected
Source: 9.2.Opus.exe.840000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.4.unpack Avira: Label: TR/Dropper.Gen
Source: 4.0.healastounding.exe.900000.4.unpack Avira: Label: TR/AD.RedLineSteal.cjshc
Source: 4.0.healastounding.exe.900000.4.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.0.Pluto Panel.exe.f10000.8.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 5.0.Pluto Panel.exe.f10000.8.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 9.0.Opus.exe.840000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 5.2.Pluto Panel.exe.f10000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 5.2.Pluto Panel.exe.f10000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.2.unpack Avira: Label: TR/Dropper.Gen
Source: 12.2.aaa.exe.2c0000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 8.0.gay.exe.d0000.2.unpack Avira: Label: TR/ATRAPS.Gen
Source: 12.0.aaa.exe.2c0000.2.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 0.3.RIP_YOUR_PC_LOL.exe.57b3478.6.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.RIP_YOUR_PC_LOL.exe.5755c99.18.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.0.22.exe.457136.14.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.3.unpack Avira: Label: TR/Dropper.Gen
Source: 6.2.test.exe.da0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 8.2.gay.exe.d0000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 12.0.aaa.exe.2c0000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 4.2.healastounding.exe.900000.0.unpack Avira: Label: TR/AD.RedLineSteal.cjshc
Source: 4.2.healastounding.exe.900000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.1.unpack Avira: Label: TR/Dropper.Gen
Source: 4.0.healastounding.exe.900000.0.unpack Avira: Label: TR/AD.RedLineSteal.cjshc
Source: 4.0.healastounding.exe.900000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.6.unpack Avira: Label: TR/Dropper.Gen
Source: 9.2.Opus.exe.5b00000.7.unpack Avira: Label: TR/NanoCore.fadte
Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.5.unpack Avira: Label: TR/Dropper.Gen
Source: 11.0.22.exe.457136.21.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.1.RIP_YOUR_PC_LOL.exe.dda1e2.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.9.unpack Avira: Label: TR/Dropper.Gen
Source: 0.2.RIP_YOUR_PC_LOL.exe.e387f7.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 6.0.test.exe.da0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 17.0.mediaget.exe.ab0000.3.unpack Avira: Label: TR/ATRAPS.Gen
Source: 0.2.RIP_YOUR_PC_LOL.exe.d587a1.7.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 17.0.mediaget.exe.ab0000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 11.0.22.exe.457136.9.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 9.0.Opus.exe.840000.3.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.8.unpack Avira: Label: TR/Dropper.Gen
Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.10.unpack Avira: Label: TR/Dropper.Gen
Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 17.2.mediaget.exe.ab0000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.7.unpack Avira: Label: TR/Dropper.Gen
Source: 9.0.Opus.exe.840000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.gay.exe.d0000.1.unpack Avira: Label: TR/ATRAPS.Gen
Source: 8.0.gay.exe.d0000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 11.0.22.exe.457136.3.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.healastounding.exe.4582ffa.11.unpack Avira: Label: TR/Dropper.Gen
Source: 0.0.RIP_YOUR_PC_LOL.exe.e387f7.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.RIP_YOUR_PC_LOL.exe.dda1e2.7.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.aaa.exe.2c0000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 0.2.RIP_YOUR_PC_LOL.exe.56d4258.19.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 17.0.mediaget.exe.ab0000.1.unpack Avira: Label: TR/ATRAPS.Gen
Source: 0.1.RIP_YOUR_PC_LOL.exe.d587a1.5.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.2.RIP_YOUR_PC_LOL.exe.dda1e2.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.healastounding.exe.900000.12.unpack Avira: Label: TR/AD.RedLineSteal.cjshc
Source: 4.0.healastounding.exe.900000.12.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.3.RIP_YOUR_PC_LOL.exe.5956fd2.3.unpack Avira: Label: TR/Dropper.Gen
Source: 6.0.test.exe.da0000.2.unpack Avira: Label: TR/Dropper.Gen
Source: 5.0.Pluto Panel.exe.f10000.4.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 5.0.Pluto Panel.exe.f10000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.0.RIP_YOUR_PC_LOL.exe.d587a1.6.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 5.0.Pluto Panel.exe.f10000.12.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 5.0.Pluto Panel.exe.f10000.12.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 5.0.Pluto Panel.exe.f10000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 5.0.Pluto Panel.exe.f10000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 6.0.test.exe.da0000.3.unpack Avira: Label: TR/Dropper.Gen
Source: 0.2.RIP_YOUR_PC_LOL.exe.5821276.21.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.1.RIP_YOUR_PC_LOL.exe.e387f7.7.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.unpack Avira: Label: TR/Dropper.Gen
Source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.unpack Avira: Label: TR/Dropper.Gen
Source: 12.0.aaa.exe.2c0000.3.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack Avira: Label: TR/Inject.vcoldi
Source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.11.unpack Avira: Label: TR/Dropper.Gen
Source: 0.1.RIP_YOUR_PC_LOL.exe.ea57bf.8.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 4.2.healastounding.exe.44c50a8.8.unpack Avira: Label: TR/Dropper.Gen
Source: 0.2.RIP_YOUR_PC_LOL.exe.57b42ae.20.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 17.0.mediaget.exe.ab0000.2.unpack Avira: Label: TR/ATRAPS.Gen
Source: 9.0.Opus.exe.840000.2.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.0.gay.exe.d0000.3.unpack Avira: Label: TR/ATRAPS.Gen
Source: 4.0.healastounding.exe.900000.8.unpack Avira: Label: TR/AD.RedLineSteal.cjshc
Source: 4.0.healastounding.exe.900000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.0.test.exe.da0000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: RIP_YOUR_PC_LOL.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: RIP_YOUR_PC_LOL.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, healastounding.exe, healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, 4.exe, 00000010.00000000.446983407.0000000001203000.00000002.00000001.01000000.0000000E.sdmp, 4.exe, 00000010.00000002.519990989.0000000001203000.00000002.00000001.01000000.0000000E.sdmp
Source: Binary string: D:\buildbot\slave1\desktop_screen\build\bin\active_desktop_launcher.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000000.407475822.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000002.465903756.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 0000000F.00000000.436842136.000000000041E000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: ]C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000000.407475822.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000002.465903756.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 0000000F.00000000.436842136.000000000041E000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Pluto Panel.exe, 00000005.00000002.710948269.0000000003B3A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712472379.0000000007710000.00000004.00000001.00040000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.706244077.0000000003705000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: autorun.inf
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: [autorun]
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: healastounding.exe Binary or memory string: autorun.inf
Source: healastounding.exe Binary or memory string: [autorun]
Source: healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: autorun.inf
Source: healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: [autorun]
Source: healastounding.exe, 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: healastounding.exe, 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: Pluto Panel.exe Binary or memory string: [autorun]
Source: Pluto Panel.exe Binary or memory string: autorun.inf
Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: autorun.inf
Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: [autorun]
Source: gay.exe Binary or memory string: autorun.inf
Source: gay.exe Binary or memory string: [autorun]
Source: gay.exe, 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: autorun.inf
Source: gay.exe, 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: [autorun]
Source: gay.exe, 00000008.00000002.451519757.0000000002744000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: gay.exe, 00000008.00000002.451519757.0000000002744000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: mediaget.exe, 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp Binary or memory string: autorun.inf
Source: mediaget.exe, 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp Binary or memory string: [autorun]
Source: mediaget.exe, 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: mediaget.exe, 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: mediaget.exe, 00000011.00000002.704209643.00000000032B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: mediaget.exe, 00000011.00000002.704209643.00000000032B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 5_2_03200728
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 5_2_03206711
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then call 03201B20h 5_2_03208714
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 5_2_03208714
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 5_2_03205B71
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then jmp 03201A73h 5_2_032019A0
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then jmp 03201A73h 5_2_032019B0
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 5_2_03209596
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 5_2_032017F8
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then call 03201B20h 5_2_032087FE
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 5_2_032087FE
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then call 03201B20h 5_2_03207FCA
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 5_2_03207FCA
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then mov esp, ebp 5_2_0320482F
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 5_2_03206038
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 5_2_03208E09
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_032076A8
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 5_2_032094AC
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_03207698
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 5_2_032014C0
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 5_2_03208AC3
Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 5_2_03205CCE

Networking

barindex
Source: DNS query: yabynennet.xyz
Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe DNS query: name: api.ipify.org
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: gfhhjgh.duckdns.org
Source: global traffic HTTP traffic detected: GET /?format=xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic TCP traffic: 192.168.2.6:49768 -> 179.13.1.253:8050
Source: global traffic TCP traffic: 192.168.2.6:49774 -> 41.249.51.34:1470
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Pluto Panel.exe, 00000005.00000002.712709095.0000000008430000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp String found in binary or memory: http://ocsp.thawte.com0
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp String found in binary or memory: http://s2.symcb.com0
Source: healastounding.exe String found in binary or memory: http://schemas.microsof
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://whatismyipaddress.com/
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Pluto Panel.exe, 00000005.00000003.445443819.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.440045453.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441297022.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.442021245.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445694166.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445564416.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441503544.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441818008.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445818252.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com.
Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comTC
Source: Pluto Panel.exe, 00000005.00000003.440045453.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441297022.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comY
Source: Pluto Panel.exe, 00000005.00000003.442021245.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441503544.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441818008.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comkC
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Pluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.como.W
Source: Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comt
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Pluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.578609523.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Pluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/C
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Pluto Panel.exe, 00000005.00000003.569553799.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Pluto Panel.exe, 00000005.00000003.569553799.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlf
Source: Pluto Panel.exe, 00000005.00000003.546333465.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.537131070.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.588600543.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.556315402.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.580567393.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570425092.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.541181738.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.551450060.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.573427389.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.569553799.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersh
Source: Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comFX
Source: Pluto Panel.exe, 00000005.00000002.711887980.0000000005C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd&
Source: Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.578609523.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comitu
Source: Pluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comlicd
Source: Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comn
Source: Pluto Panel.exe, 00000005.00000002.711887980.0000000005C50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comoX
Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comonyn
Source: Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comrsiv
Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comsiv/C
Source: Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comtu
Source: Pluto Panel.exe, 00000005.00000003.413764911.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413943860.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413057625.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413330512.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Pluto Panel.exe, 00000005.00000003.413330512.0000000005C85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.comC
Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432587858.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.433071734.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn$
Source: Pluto Panel.exe, 00000005.00000003.434083509.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.433444494.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432944886.0000000005C7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: Pluto Panel.exe, 00000005.00000003.434083509.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.434485944.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.433444494.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.434712918.0000000005C7F000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432944886.0000000005C7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/)
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Pluto Panel.exe, 00000005.00000003.433444494.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432459781.0000000005C7F000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432944886.0000000005C7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnT
Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cncz
Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cncz$
Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnv
Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cp
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.freeeim.com/D
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Pluto Panel.exe, 00000005.00000003.423909901.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.425696650.0000000005C85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.i.
Source: Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.466345951.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.469643417.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.466752175.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464082407.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.465692163.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.467819425.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464883846.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.467392892.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/J
Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Q
Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/X
Source: Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/eu-e
Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/g
Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/i
Source: Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464082407.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464883846.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/C
Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/J
Source: Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/X
Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ls
Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464082407.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464883846.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/n
Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Pluto Panel.exe, 00000005.00000003.461535327.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.462539198.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.comm
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Pluto Panel.exe, 00000005.00000003.434485944.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.434712918.0000000005C7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com&
Source: Pluto Panel.exe, 00000005.00000003.445903668.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com=
Source: Pluto Panel.exe, 00000005.00000003.445903668.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comic
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Pluto Panel.exe, 00000005.00000003.646787103.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.de
Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Pluto Panel.exe, 00000005.00000003.646787103.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deMTq
Source: Pluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deR
Source: Pluto Panel.exe, 00000005.00000003.646787103.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deg
Source: Pluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.derasg
Source: Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.co
Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnY
Source: Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnm
Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.W
Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnts
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: healastounding.exe, healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, healastounding.exe, 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, gay.exe, gay.exe, 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, mediaget.exe, 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, mediaget.exe, 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
Source: Pluto Panel.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://whatismyipaddress.com/
Source: Pluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://whatismyipaddress.comx&
Source: Pluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: Pluto Panel.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: unknown DNS traffic detected: queries for: store-images.s-microsoft.com
Source: global traffic HTTP traffic detected: GET /?format=xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.ipify.orgConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 80.87.192.115
Source: unknown TCP traffic detected without corresponding DNS query: 80.87.192.115
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 80.87.192.115
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: unknown TCP traffic detected without corresponding DNS query: 172.98.92.42
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Pluto Panel.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
Source: Yara match File source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Pluto Panel.exe PID: 4236, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPED
Source: Yara match File source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.test.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.test.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.test.exe.da0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.test.exe.da0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.RIP_YOUR_PC_LOL.exe.59c8085.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.3479694.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.test.exe.da0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: test.exe PID: 6236, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\test.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
Source: Pluto Panel.exe.0.dr, Form1.cs .Net Code: HookKeyboard
Source: gay.exe.4.dr, kl.cs .Net Code: VKCodeToUnicode
Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.cs .Net Code: HookKeyboard
Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.cs .Net Code: HookKeyboard
Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.cs .Net Code: HookKeyboard
Source: Opus.exe, 00000009.00000002.701598795.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: Opus.exe, 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud

barindex
Source: Yara match File source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
Source: Yara match File source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.567040014.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.579383399.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.461250332.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.674377761.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.673042782.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Opus.exe PID: 3244, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
Source: Yara match File source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
Source: Yara match File source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000000.507357595.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000003B.00000000.627731740.00000000007A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000000.548907669.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.610238464.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000002A.00000002.552899490.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: gay.exe PID: 1104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mediaget.exe PID: 4688, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\gay.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\mediaget.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Roaming\mediaget.exe Process information set: 01 00 00 00

System Summary

barindex
Source: RIP_YOUR_PC_LOL.exe, type: SAMPLE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: RIP_YOUR_PC_LOL.exe, type: SAMPLE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: RIP_YOUR_PC_LOL.exe, type: SAMPLE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: RIP_YOUR_PC_LOL.exe, type: SAMPLE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: RIP_YOUR_PC_LOL.exe, type: SAMPLE Matched rule: Detects NanoCore Author: ditekSHen
Source: RIP_YOUR_PC_LOL.exe, type: SAMPLE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: RIP_YOUR_PC_LOL.exe, type: SAMPLE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: RIP_YOUR_PC_LOL.exe, type: SAMPLE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.RIP_YOUR_PC_LOL.exe.d4dd52.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.RIP_YOUR_PC_LOL.exe.c8867b.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 11.0.22.exe.5f65b6.17.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.test.exe.da0000.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects Ficker infostealer Author: ditekSHen
Source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Ficker infostealer Author: ditekSHen
Source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects Ficker infostealer Author: ditekSHen
Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.22.exe.5f65b6.23.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 11.0.22.exe.530edf.22.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 11.0.22.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 11.0.22.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects Ficker infostealer Author: ditekSHen
Source: 6.0.test.exe.da0000.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.2.Opus.exe.2ea1844.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Opus.exe.2ea1844.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.17.unpack, type: UNPACKEDPE Matched rule: Detects Ficker infostealer Author: ditekSHen
Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects Ficker infostealer Author: ditekSHen
Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.0.22.exe.5f65b6.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: Detects Ficker infostealer Author: ditekSHen
Source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 11.0.22.exe.43de6f.19.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 11.0.22.exe.530edf.16.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.0.22.exe.43de6f.2.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.0.22.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.2.RIP_YOUR_PC_LOL.exe.c8867b.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Detects Ficker infostealer Author: ditekSHen
Source: 11.0.22.exe.43de6f.13.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.22.exe.530edf.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.2.Opus.exe.5870000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Opus.exe.5870000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.0.22.exe.5f65b6.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Detects Ficker infostealer Author: ditekSHen
Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.16.unpack, type: UNPACKEDPE Matched rule: Detects Ficker infostealer Author: ditekSHen
Source: 0.1.RIP_YOUR_PC_LOL.exe.d4dd52.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.11.unpack, type: UNPACKEDPE Matched rule: Detects Ficker infostealer Author: ditekSHen
Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detects Ficker infostealer Author: ditekSHen
Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.RIP_YOUR_PC_LOL.exe.c8867b.4.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.1.RIP_YOUR_PC_LOL.exe.c8867b.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 11.0.22.exe.43de6f.7.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: Detects Ficker infostealer Author: ditekSHen
Source: 11.0.22.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.22.exe.530edf.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.3.RIP_YOUR_PC_LOL.exe.5839748.8.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 6.0.test.exe.da0000.2.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 11.0.22.exe.530edf.22.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPE Matched rule: Detects NanoCore Author: ditekSHen
Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.RIP_YOUR_PC_LOL.exe.d4dd52.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.13.unpack, type: UNPACKEDPE Matched rule: Detects Ficker infostealer Author: ditekSHen
Source: 0.2.RIP_YOUR_PC_LOL.exe.c8867b.4.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen