Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RIP_YOUR_PC_LOL.exe

Overview

General Information

Sample Name:RIP_YOUR_PC_LOL.exe
Analysis ID:585264
MD5:52867174362410d63215d78e708103ea
SHA1:7ae4e1048e4463a4201bdeaf224c5b6face681bf
SHA256:37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
Tags:exe
Infos:

Detection

HawkEye Nanocore njRat AsyncRAT Azorult DCRat Ficker Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Yara detected MailPassView
Yara detected HawkEye Keylogger
Sigma detected: NanoCore
Yara detected AntiVM3
Yara detected Azorult Info Stealer
Detected Nanocore Rat
Yara detected AsyncRAT
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Yara detected Nanocore RAT
Yara detected DCRat
Yara detected Generic Dropper
Yara detected Azorult
Multi AV Scanner detection for submitted file
Detected njRat
Malicious sample detected (through community Yara rule)
Yara detected Njrat
Antivirus / Scanner detection for submitted sample
Yara detected Mimikatz
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Yara detected Ficker Stealer
Sigma detected: Suspicius Schtasks From Env Var Folder
Sigma detected: System File Execution Location Anomaly
Uses netsh to modify the Windows network and firewall settings
Drops PE files to the startup folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Sample uses process hollowing technique
Sigma detected: File Created with System Process Name
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Protects its processes via BreakOnTermination flag
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Yara detected WebBrowserPassView password recovery tool
PE file has nameless sections
Machine Learning detection for dropped file
Modifies the windows firewall
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Modifies existing windows services
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Creates a start menu entry (Start Menu\Programs\Startup)
Sigma detected: Netsh Port or Application Allowed
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Sigma detected: CurrentVersion Autorun Keys Modification
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Sigma detected: Suspicious Add Scheduled Task Parent
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
File is packed with WinRar
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates or modifies windows services
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sigma detected: Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • RIP_YOUR_PC_LOL.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe" MD5: 52867174362410D63215D78E708103EA)
    • healastounding.exe (PID: 3572 cmdline: "C:\Users\user\AppData\Roaming\healastounding.exe" MD5: 6FB798F1090448CE26299C2B35ACF876)
      • test.exe (PID: 6236 cmdline: "C:\Users\user\AppData\Roaming\test.exe" MD5: 7E50B292982932190179245C60C0B59B)
      • gay.exe (PID: 1104 cmdline: "C:\Users\user\AppData\Roaming\gay.exe" MD5: 8EEDC01C11B251481DEC59E5308DCCC3)
        • mediaget.exe (PID: 4688 cmdline: "C:\Users\user\AppData\Roaming\mediaget.exe" MD5: 8EEDC01C11B251481DEC59E5308DCCC3)
          • netsh.exe (PID: 7092 cmdline: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
            • conhost.exe (PID: 4104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Opus.exe (PID: 3244 cmdline: "C:\Users\user\AppData\Roaming\Opus.exe" MD5: 759185EE3724D7563B709C888C696959)
        • schtasks.exe (PID: 6420 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 3280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 7052 cmdline: schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5D87.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • aaa.exe (PID: 3984 cmdline: "C:\Users\user\AppData\Roaming\aaa.exe" MD5: 860AA57FC3578F7037BB27FC79B2A62C)
        • aaa.exe (PID: 6256 cmdline: C:\Users\user\AppData\Roaming\aaa.exe MD5: 860AA57FC3578F7037BB27FC79B2A62C)
      • 8f1c8b40c7be588389a8d382040b23bb.exe (PID: 5376 cmdline: "C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe" MD5: 8F1C8B40C7BE588389A8D382040B23BB)
        • FFDvbcrdfqs.exe (PID: 6920 cmdline: "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe" MD5: 78D40B12FFC837843FBF4DE2164002F6)
        • Dcvxaamev.exe (PID: 6612 cmdline: "C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe" MD5: 870D6E5AEF6DEA98CED388CCE87BFBD4)
      • 4.exe (PID: 2824 cmdline: "C:\Users\user\AppData\Roaming\4.exe" MD5: E6DACE3F577AC7A6F9747B4A0956C8D7)
        • 3.exe (PID: 3964 cmdline: "C:\Users\user\AppData\Roaming\3.exe" MD5: 748A4BEA8C0624A4C7A69F67263E0839)
      • a.exe (PID: 5152 cmdline: "C:\Users\user\AppData\Roaming\a.exe" MD5: 52CFD35F337CA837D31DF0A95CE2A55E)
    • Pluto Panel.exe (PID: 4236 cmdline: "C:\Users\user\AppData\Roaming\Pluto Panel.exe" MD5: ED666BF7F4A0766FCEC0E9C8074B089B)
    • 22.exe (PID: 1272 cmdline: "C:\Users\user\AppData\Roaming\22.exe" MD5: DBF9DAA1707B1037E28A6E0694B33A4B)
      • netsh.exe (PID: 6500 cmdline: netsh ipsec static add policy name=Block MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 3252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 6596 cmdline: netsh ipsec static add filterlist name=Filter1 MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 5932 cmdline: netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 3288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 5940 cmdline: netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 1616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 5748 cmdline: netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 5504 cmdline: netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 5584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • netsh.exe (PID: 6060 cmdline: netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ___11.19.exe (PID: 6732 cmdline: "C:\Users\user\AppData\Roaming\___11.19.exe" MD5: A071727B72A8374FF79A695ECDE32594)
      • svchost.exe (PID: 6552 cmdline: C:\Users\user\AppData\Local\Temp\\svchost.exe MD5: A4329177954D4104005BCE3020E5EF59)
        • cmd.exe (PID: 1852 cmdline: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • svchos.exe (PID: 1588 cmdline: C:\Users\user\AppData\Local\Temp\\svchos.exe MD5: 3B377AD877A942EC9F60EA285F7119A2)
      • HD____11.19.exe (PID: 2508 cmdline: C:\Users\user\AppData\Roaming\HD____11.19.exe MD5: B14120B6701D42147208EBF264AD9981)
  • Opus.exe (PID: 6580 cmdline: C:\Users\user\AppData\Roaming\Opus.exe 0 MD5: 759185EE3724D7563B709C888C696959)
  • dhcpmon.exe (PID: 6328 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" MD5: 759185EE3724D7563B709C888C696959)
  • dhcpmon.exe (PID: 6308 cmdline: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0 MD5: 759185EE3724D7563B709C888C696959)
  • mediaget.exe (PID: 6036 cmdline: "C:\Users\user\AppData\Roaming\mediaget.exe" .. MD5: 8EEDC01C11B251481DEC59E5308DCCC3)
  • mediaget.exe (PID: 1080 cmdline: "C:\Users\user\AppData\Roaming\mediaget.exe" .. MD5: 8EEDC01C11B251481DEC59E5308DCCC3)
  • TXPlatforn.exe (PID: 5700 cmdline: C:\Windows\SysWOW64\TXPlatforn.exe -auto MD5: A4329177954D4104005BCE3020E5EF59)
    • TXPlatforn.exe (PID: 1480 cmdline: C:\Windows\SysWOW64\TXPlatforn.exe -acsi MD5: A4329177954D4104005BCE3020E5EF59)
  • svchost.exe (PID: 6268 cmdline: C:\Windows\SysWOW64\svchost.exe -k " " MD5: FA6C268A5B5BDA067A901764D203D433)
  • svchost.exe (PID: 6052 cmdline: C:\Windows\SysWOW64\svchost.exe -k " " MD5: FA6C268A5B5BDA067A901764D203D433)
  • mediaget.exe (PID: 5644 cmdline: "C:\Users\user\AppData\Roaming\mediaget.exe" .. MD5: 8EEDC01C11B251481DEC59E5308DCCC3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
RIP_YOUR_PC_LOL.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1308075:$x1: NanoCore.ClientPluginHost
  • 0x13080b2:$x2: IClientNetworkHost
  • 0x130bbe5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
RIP_YOUR_PC_LOL.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7bdb7:$key: HawkEyeKeylogger
  • 0x7dff3:$salt: 099u787978786
  • 0x7c3f0:$string1: HawkEye_Keylogger
  • 0x7d243:$string1: HawkEye_Keylogger
  • 0x7df53:$string1: HawkEye_Keylogger
  • 0x7c7d9:$string2: holdermail.txt
  • 0x7c7f9:$string2: holdermail.txt
  • 0x7c71b:$string3: wallet.dat
  • 0x7c733:$string3: wallet.dat
  • 0x7c749:$string3: wallet.dat
  • 0x7db35:$string4: Keylog Records
  • 0x7de4d:$string4: Keylog Records
  • 0x7e04b:$string5: do not script -->
  • 0x7bd9f:$string6: \pidloc.txt
  • 0x7be05:$string7: BSPLIT
  • 0x7be15:$string7: BSPLIT
RIP_YOUR_PC_LOL.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x7901:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
RIP_YOUR_PC_LOL.exeJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    RIP_YOUR_PC_LOL.exeJoeSecurity_GenericDropperYara detected Generic DropperJoe Security
      Click to see the 12 entries

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

          Dropped Files

          SourceRuleDescriptionAuthorStrings
          C:\Users\user\AppData\Roaming\gay.exeJoeSecurity_NjratYara detected NjratJoe Security
            C:\Users\user\AppData\Roaming\gay.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
            • 0x81fc:$s1: netsh firewall delete allowedprogram
            • 0x80f2:$s2: netsh firewall add allowedprogram
            • 0x825c:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 6B 00 20 00 70 00 69 00 6E 00 67
            • 0x7ee6:$s4: Execute ERROR
            • 0x7f46:$s4: Execute ERROR
            • 0x7f0a:$s5: Download ERROR
            • 0x82a2:$s6: [kl]
            C:\Users\user\AppData\Roaming\gay.exenjrat1Identify njRatBrian Wallace @botnet_hunter
            • 0x80f2:$a1: netsh firewall add allowedprogram
            • 0x82ec:$b1: [TAP]
            • 0x8292:$b2: & exit
            • 0x825e:$c1: md.exe /k ping 0 & del
            C:\Users\user\AppData\Roaming\Opus.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0x1018d:$x1: NanoCore.ClientPluginHost
            • 0x101ca:$x2: IClientNetworkHost
            • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            C:\Users\user\AppData\Roaming\Opus.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
            • 0xff05:$x1: NanoCore Client.exe
            • 0x1018d:$x2: NanoCore.ClientPluginHost
            • 0x117c6:$s1: PluginCommand
            • 0x117ba:$s2: FileCommand
            • 0x1266b:$s3: PipeExists
            • 0x18422:$s4: PipeCreated
            • 0x101b7:$s5: IClientLoggingHost
            Click to see the 35 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0xff8d:$x1: NanoCore.ClientPluginHost
            • 0xffca:$x2: IClientNetworkHost
            • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
              • 0xfcf5:$a: NanoCore
              • 0xfd05:$a: NanoCore
              • 0xff39:$a: NanoCore
              • 0xff4d:$a: NanoCore
              • 0xff8d:$a: NanoCore
              • 0xfd54:$b: ClientPlugin
              • 0xff56:$b: ClientPlugin
              • 0xff96:$b: ClientPlugin
              • 0xfe7b:$c: ProjectData
              • 0x10882:$d: DESCrypto
              • 0x1824e:$e: KeepAlive
              • 0x1623c:$g: LogClientMessage
              • 0x12437:$i: get_Connected
              • 0x10bb8:$j: #=q
              • 0x10be8:$j: #=q
              • 0x10c04:$j: #=q
              • 0x10c34:$j: #=q
              • 0x10c50:$j: #=q
              • 0x10c6c:$j: #=q
              • 0x10c9c:$j: #=q
              • 0x10cb8:$j: #=q
              00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                • 0x97f3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                Click to see the 237 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                  • 0x99f3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                  0.2.RIP_YOUR_PC_LOL.exe.d4dd52.5.raw.unpackMALWARE_Win_BlackMoonDetects executables using BlackMoon RunTimeditekSHen
                  • 0x4e6a:$s1: blackmoon
                  • 0x4eaa:$s2: BlackMoon RunTime Error:
                  0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                    • 0x7bf3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                    Click to see the 661 entries

                    Sigma Signatures

                    AV Detection

                    barindex
                    Sigma detected: NanoCore
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\Opus.exe, ProcessId: 3244, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                    E-Banking Fraud

                    barindex
                    Sigma detected: NanoCore
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\Opus.exe, ProcessId: 3244, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                    System Summary

                    barindex
                    Sigma detected: Suspect Svchost Activity
                    Source: Process startedAuthor: David Burkett: Data: Command: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\___11.19.exe" , ParentImage: C:\Users\user\AppData\Roaming\___11.19.exe, ParentProcessId: 6732, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, ProcessId: 6552
                    Sigma detected: Suspicius Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Opus.exe" , ParentImage: C:\Users\user\AppData\Roaming\Opus.exe, ParentProcessId: 3244, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, ProcessId: 6420
                    Sigma detected: System File Execution Location Anomaly
                    Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\___11.19.exe" , ParentImage: C:\Users\user\AppData\Roaming\___11.19.exe, ParentProcessId: 6732, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, ProcessId: 6552
                    Sigma detected: Suspicious Svchost Process
                    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\___11.19.exe" , ParentImage: C:\Users\user\AppData\Roaming\___11.19.exe, ParentProcessId: 6732, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, ProcessId: 6552
                    Sigma detected: File Created with System Process Name
                    Source: File createdAuthor: Sander Wiebing, Tim Shelton: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\22.exe, ProcessId: 1272, TargetFilename: C:\Windows\Help\Winlogon.exe
                    Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
                    Source: Process startedAuthor: frack113: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Opus.exe" , ParentImage: C:\Users\user\AppData\Roaming\Opus.exe, ParentProcessId: 3244, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, ProcessId: 6420
                    Source: Process startedAuthor: Markus Neis, Sander Wiebing: Data: Command: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE, CommandLine: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE, CommandLine|base64offset|contains: l, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\mediaget.exe" , ParentImage: C:\Users\user\AppData\Roaming\mediaget.exe, ParentProcessId: 4688, ProcessCommandLine: netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE, ProcessId: 7092
                    Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke (rule): Data: Image: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe, QueryName: api.ipify.org
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Roaming\mediaget.exe" .., EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\mediaget.exe, ProcessId: 4688, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\a797c6ca3f5e7aff8fa1149c47fe9466
                    Source: Process startedAuthor: Florian Roth: Data: Command: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, CommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Opus.exe" , ParentImage: C:\Users\user\AppData\Roaming\Opus.exe, ParentProcessId: 3244, ProcessCommandLine: schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp, ProcessId: 6420
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Opus.exe, ProcessId: 3244, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Monitor
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Opus.exe, ProcessId: 3244, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Monitor
                    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul, CommandLine: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, ParentImage: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentProcessId: 6552, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul, ProcessId: 1852
                    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul, CommandLine: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, ParentImage: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentProcessId: 6552, ProcessCommandLine: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul, ProcessId: 1852
                    Source: Process startedAuthor: vburov: Data: Command: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\___11.19.exe" , ParentImage: C:\Users\user\AppData\Roaming\___11.19.exe, ParentProcessId: 6732, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\\svchost.exe, ProcessId: 6552
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe" , ParentImage: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe, ParentProcessId: 5376, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe" , ProcessId: 6920

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: NanoCore
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\Opus.exe, ProcessId: 3244, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                    Remote Access Functionality

                    barindex
                    Sigma detected: NanoCore
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\Opus.exe, ProcessId: 3244, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\AppData\Roaming\Opus.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                    Source: C:\Users\user\AppData\Roaming\___11.19.exeAvira: detection malicious, Label: TR/Dropper.GR
                    Source: C:\Users\user\AppData\Roaming\___11.19.exeAvira: detection malicious, Label: TR/Agent.aagt
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeAvira: detection malicious, Label: TR/AD.RedLineSteal.cjshc
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeAvira: detection malicious, Label: TR/AD.MalwareCrypter.rrsdk
                    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen7
                    Source: C:\Windows\Help\active_desktop_render.dllAvira: detection malicious, Label: HEUR/AGEN.1245024
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                    Source: C:\Users\user\AppData\Roaming\gay.exeAvira: detection malicious, Label: TR/ATRAPS.Gen
                    Source: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\AppData\Roaming\22.exeAvira: detection malicious, Label: HEUR/AGEN.1227810
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                    Source: C:\Windows\Cursors\WUDFhosts.exeAvira: detection malicious, Label: HEUR/AGEN.1213003
                    Source: C:\Users\user\AppData\Roaming\a.exeAvira: detection malicious, Label: TR/AD.RedLineSteal.cjshc
                    Source: C:\Users\user\AppData\Roaming\3.exeAvira: detection malicious, Label: HEUR/AGEN.1203070
                    Source: C:\Users\user\AppData\Roaming\test.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\AppData\Roaming\aaa.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
                    Yara detected Nanocore RAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.567040014.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.579383399.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000000.461250332.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.674377761.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.673042782.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Opus.exe PID: 3244, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Multi AV Scanner detection for submitted file
                    Source: RIP_YOUR_PC_LOL.exeVirustotal: Detection: 63%Perma Link
                    Source: RIP_YOUR_PC_LOL.exeMetadefender: Detection: 33%Perma Link
                    Source: RIP_YOUR_PC_LOL.exeReversingLabs: Detection: 73%
                    Yara detected Njrat
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000000.507357595.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000003B.00000000.627731740.00000000007A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000000.548907669.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000002.610238464.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000002.552899490.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: gay.exe PID: 1104, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mediaget.exe PID: 4688, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\gay.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mediaget.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Antivirus / Scanner detection for submitted sample
                    Source: RIP_YOUR_PC_LOL.exeAvira: detected
                    Source: RIP_YOUR_PC_LOL.exeAvira: detected
                    Source: RIP_YOUR_PC_LOL.exeAvira: detected
                    Source: RIP_YOUR_PC_LOL.exeAvira: detected
                    Source: RIP_YOUR_PC_LOL.exeAvira: detected
                    Source: RIP_YOUR_PC_LOL.exeAvira: detected
                    Source: RIP_YOUR_PC_LOL.exeAvira: detected
                    Multi AV Scanner detection for dropped file
                    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMetadefender: Detection: 85%Perma Link
                    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 100%
                    Source: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exeMetadefender: Detection: 29%Perma Link
                    Source: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exeReversingLabs: Detection: 85%
                    Source: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exeMetadefender: Detection: 29%Perma Link
                    Source: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exeReversingLabs: Detection: 85%
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeMetadefender: Detection: 29%Perma Link
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeReversingLabs: Detection: 92%
                    Source: C:\Users\user\AppData\Roaming\22.exeMetadefender: Detection: 38%Perma Link
                    Source: C:\Users\user\AppData\Roaming\22.exeReversingLabs: Detection: 85%
                    Source: C:\Users\user\AppData\Roaming\3.exeMetadefender: Detection: 47%Perma Link
                    Source: C:\Users\user\AppData\Roaming\3.exeReversingLabs: Detection: 82%
                    Source: C:\Users\user\AppData\Roaming\4.exeReversingLabs: Detection: 75%
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeMetadefender: Detection: 26%Perma Link
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeReversingLabs: Detection: 85%
                    Machine Learning detection for sample
                    Source: RIP_YOUR_PC_LOL.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Opus.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\___11.19.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\4.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeJoe Sandbox ML: detected
                    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
                    Source: C:\Windows\Help\active_desktop_render.dllJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\gay.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\22.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeJoe Sandbox ML: detected
                    Source: C:\Windows\Cursors\WUDFhosts.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\a.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\3.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\test.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\aaa.exeJoe Sandbox ML: detected
                    Source: 9.2.Opus.exe.840000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.4.unpackAvira: Label: TR/Dropper.Gen
                    Source: 4.0.healastounding.exe.900000.4.unpackAvira: Label: TR/AD.RedLineSteal.cjshc
                    Source: 4.0.healastounding.exe.900000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 9.0.Opus.exe.840000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.2.unpackAvira: Label: TR/Dropper.Gen
                    Source: 12.2.aaa.exe.2c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                    Source: 8.0.gay.exe.d0000.2.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 12.0.aaa.exe.2c0000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.57b3478.6.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.5755c99.18.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 11.0.22.exe.457136.14.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.3.unpackAvira: Label: TR/Dropper.Gen
                    Source: 6.2.test.exe.da0000.0.unpackAvira: Label: TR/Dropper.Gen
                    Source: 8.2.gay.exe.d0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 12.0.aaa.exe.2c0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen
                    Source: 4.2.healastounding.exe.900000.0.unpackAvira: Label: TR/AD.RedLineSteal.cjshc
                    Source: 4.2.healastounding.exe.900000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.1.unpackAvira: Label: TR/Dropper.Gen
                    Source: 4.0.healastounding.exe.900000.0.unpackAvira: Label: TR/AD.RedLineSteal.cjshc
                    Source: 4.0.healastounding.exe.900000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.6.unpackAvira: Label: TR/Dropper.Gen
                    Source: 9.2.Opus.exe.5b00000.7.unpackAvira: Label: TR/NanoCore.fadte
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.5.unpackAvira: Label: TR/Dropper.Gen
                    Source: 11.0.22.exe.457136.21.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.dda1e2.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.9.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.e387f7.8.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 6.0.test.exe.da0000.0.unpackAvira: Label: TR/Dropper.Gen
                    Source: 17.0.mediaget.exe.ab0000.3.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.d587a1.7.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 17.0.mediaget.exe.ab0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 11.0.22.exe.457136.9.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 9.0.Opus.exe.840000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.8.unpackAvira: Label: TR/Dropper.Gen
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.10.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 17.2.mediaget.exe.ab0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.7.unpackAvira: Label: TR/Dropper.Gen
                    Source: 9.0.Opus.exe.840000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 8.0.gay.exe.d0000.1.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 8.0.gay.exe.d0000.0.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 11.0.22.exe.457136.3.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 4.2.healastounding.exe.4582ffa.11.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.e387f7.8.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.dda1e2.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 12.0.aaa.exe.2c0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.56d4258.19.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 17.0.mediaget.exe.ab0000.1.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.d587a1.5.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.dda1e2.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                    Source: 4.0.healastounding.exe.900000.12.unpackAvira: Label: TR/AD.RedLineSteal.cjshc
                    Source: 4.0.healastounding.exe.900000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5956fd2.3.unpackAvira: Label: TR/Dropper.Gen
                    Source: 6.0.test.exe.da0000.2.unpackAvira: Label: TR/Dropper.Gen
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.d587a1.6.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 5.0.Pluto Panel.exe.f10000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 5.0.Pluto Panel.exe.f10000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 6.0.test.exe.da0000.3.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.5821276.21.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.e387f7.7.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.unpackAvira: Label: TR/Dropper.Gen
                    Source: 12.0.aaa.exe.2c0000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpackAvira: Label: TR/Inject.vcoldi
                    Source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.11.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.ea57bf.8.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
                    Source: 4.2.healastounding.exe.44c50a8.8.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.57b42ae.20.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: 17.0.mediaget.exe.ab0000.2.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 9.0.Opus.exe.840000.2.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 8.0.gay.exe.d0000.3.unpackAvira: Label: TR/ATRAPS.Gen
                    Source: 4.0.healastounding.exe.900000.8.unpackAvira: Label: TR/AD.RedLineSteal.cjshc
                    Source: 4.0.healastounding.exe.900000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
                    Source: 6.0.test.exe.da0000.1.unpackAvira: Label: TR/Dropper.Gen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpackAvira: Label: TR/Patched.Ren.Gen
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, healastounding.exe, healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, 4.exe, 00000010.00000000.446983407.0000000001203000.00000002.00000001.01000000.0000000E.sdmp, 4.exe, 00000010.00000002.519990989.0000000001203000.00000002.00000001.01000000.0000000E.sdmp
                    Source: Binary string: D:\buildbot\slave1\desktop_screen\build\bin\active_desktop_launcher.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp
                    Source: Binary string: C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000000.407475822.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000002.465903756.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 0000000F.00000000.436842136.000000000041E000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: ]C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000000.407475822.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000002.465903756.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 0000000F.00000000.436842136.000000000041E000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Pluto Panel.exe, 00000005.00000002.710948269.0000000003B3A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712472379.0000000007710000.00000004.00000001.00040000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.706244077.0000000003705000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                    Source: healastounding.exeBinary or memory string: autorun.inf
                    Source: healastounding.exeBinary or memory string: [autorun]
                    Source: healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: autorun.inf
                    Source: healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: [autorun]
                    Source: healastounding.exe, 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                    Source: healastounding.exe, 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                    Source: Pluto Panel.exeBinary or memory string: [autorun]
                    Source: Pluto Panel.exeBinary or memory string: autorun.inf
                    Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: autorun.inf
                    Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: [autorun]
                    Source: gay.exeBinary or memory string: autorun.inf
                    Source: gay.exeBinary or memory string: [autorun]
                    Source: gay.exe, 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: autorun.inf
                    Source: gay.exe, 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmpBinary or memory string: [autorun]
                    Source: gay.exe, 00000008.00000002.451519757.0000000002744000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                    Source: gay.exe, 00000008.00000002.451519757.0000000002744000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                    Source: mediaget.exe, 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: autorun.inf
                    Source: mediaget.exe, 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: [autorun]
                    Source: mediaget.exe, 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: autorun.inf
                    Source: mediaget.exe, 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [autorun]
                    Source: mediaget.exe, 00000011.00000002.704209643.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                    Source: mediaget.exe, 00000011.00000002.704209643.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then call 03201B20h
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then jmp 03201A73h
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then jmp 03201A73h
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then call 03201B20h
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then call 03201B20h
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then mov esp, ebp
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]

                    Networking

                    barindex
                    Performs DNS queries to domains with low reputation
                    Source: DNS query: yabynennet.xyz
                    May check the online IP address of the machine
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: gfhhjgh.duckdns.org
                    Source: global trafficHTTP traffic detected: GET /?format=xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficTCP traffic: 192.168.2.6:49768 -> 179.13.1.253:8050
                    Source: global trafficTCP traffic: 192.168.2.6:49774 -> 41.249.51.34:1470
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: Pluto Panel.exe, 00000005.00000002.712709095.0000000008430000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://ocsp.thawte.com0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://s2.symcb.com0
                    Source: healastounding.exeString found in binary or memory: http://schemas.microsof
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://sv.symcd.com0&
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                    Source: Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.com
                    Source: Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.com/
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                    Source: Pluto Panel.exe, 00000005.00000003.445443819.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.440045453.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441297022.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.442021245.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445694166.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445564416.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441503544.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441818008.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445818252.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com.
                    Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTC
                    Source: Pluto Panel.exe, 00000005.00000003.440045453.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441297022.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comY
                    Source: Pluto Panel.exe, 00000005.00000003.442021245.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441503544.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441818008.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comkC
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Pluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.como.W
                    Source: Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comt
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                    Source: Pluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.578609523.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Pluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/C
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Pluto Panel.exe, 00000005.00000003.569553799.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Pluto Panel.exe, 00000005.00000003.569553799.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlf
                    Source: Pluto Panel.exe, 00000005.00000003.546333465.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.537131070.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.588600543.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.556315402.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.580567393.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570425092.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.541181738.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.551450060.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.573427389.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.569553799.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersh
                    Source: Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                    Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comFX
                    Source: Pluto Panel.exe, 00000005.00000002.711887980.0000000005C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                    Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd&
                    Source: Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.578609523.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comitu
                    Source: Pluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlicd
                    Source: Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comn
                    Source: Pluto Panel.exe, 00000005.00000002.711887980.0000000005C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoX
                    Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comonyn
                    Source: Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrsiv
                    Source: Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsiv/C
                    Source: Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtu
                    Source: Pluto Panel.exe, 00000005.00000003.413764911.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413943860.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413057625.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413330512.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Pluto Panel.exe, 00000005.00000003.413330512.0000000005C85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comC
                    Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432587858.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.433071734.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn$
                    Source: Pluto Panel.exe, 00000005.00000003.434083509.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.433444494.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432944886.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: Pluto Panel.exe, 00000005.00000003.434083509.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.434485944.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.433444494.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.434712918.0000000005C7F000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432944886.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/)
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Pluto Panel.exe, 00000005.00000003.433444494.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432459781.0000000005C7F000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432944886.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnT
                    Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cncz
                    Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cncz$
                    Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnv
                    Source: Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cp
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.freeeim.com/D
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Pluto Panel.exe, 00000005.00000003.423909901.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.425696650.0000000005C85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.i.
                    Source: Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.466345951.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.469643417.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.466752175.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464082407.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.465692163.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.467819425.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464883846.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.467392892.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                    Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
                    Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q
                    Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
                    Source: Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/eu-e
                    Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/g
                    Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
                    Source: Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464082407.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464883846.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
                    Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/C
                    Source: Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/J
                    Source: Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/X
                    Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ls
                    Source: Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464082407.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464883846.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
                    Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Pluto Panel.exe, 00000005.00000003.461535327.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.462539198.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comm
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.site.com/logs.php
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.symauth.com/cps0(
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: http://www.symauth.com/rpa00
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Pluto Panel.exe, 00000005.00000003.434485944.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.434712918.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com&
                    Source: Pluto Panel.exe, 00000005.00000003.445903668.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com=
                    Source: Pluto Panel.exe, 00000005.00000003.445903668.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comic
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Pluto Panel.exe, 00000005.00000003.646787103.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                    Source: Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Pluto Panel.exe, 00000005.00000003.646787103.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deMTq
                    Source: Pluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deR
                    Source: Pluto Panel.exe, 00000005.00000003.646787103.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deg
                    Source: Pluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.derasg
                    Source: Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.co
                    Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnY
                    Source: Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnm
                    Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                    Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.W
                    Source: Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnts
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                    Source: healastounding.exe, healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, healastounding.exe, 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, gay.exe, gay.exe, 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, mediaget.exe, 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, mediaget.exe, 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0
                    Source: Pluto Panel.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddress.com/
                    Source: Pluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddress.comx&
                    Source: Pluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: Pluto Panel.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: unknownDNS traffic detected: queries for: store-images.s-microsoft.com
                    Source: global trafficHTTP traffic detected: GET /?format=xml HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 80.87.192.115
                    Source: unknownTCP traffic detected without corresponding DNS query: 80.87.192.115
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 80.87.192.115
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.98.92.42
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: Pluto Panel.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Yara detected HawkEye Keylogger
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Pluto Panel.exe PID: 4236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPED
                    Yara detected AsyncRAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.59c8085.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: test.exe PID: 6236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\test.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Contains functionality to log keystrokes (.Net Source)
                    Source: Pluto Panel.exe.0.dr, Form1.cs.Net Code: HookKeyboard
                    Source: gay.exe.4.dr, kl.cs.Net Code: VKCodeToUnicode
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.cs.Net Code: HookKeyboard
                    Source: Opus.exe, 00000009.00000002.701598795.0000000000EEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: Opus.exe, 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices

                    E-Banking Fraud

                    barindex
                    Yara detected Nanocore RAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.567040014.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.579383399.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000000.461250332.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.674377761.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.673042782.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Opus.exe PID: 3244, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Yara detected Njrat
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000000.507357595.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000003B.00000000.627731740.00000000007A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000000.548907669.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000002.610238464.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000002.552899490.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: gay.exe PID: 1104, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mediaget.exe PID: 4688, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\gay.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mediaget.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: 01 00 00 00

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.d4dd52.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.c8867b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 11.0.22.exe.5f65b6.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 6.2.test.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 11.0.22.exe.5f65b6.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 11.0.22.exe.530edf.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 11.0.22.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 11.0.22.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 6.0.test.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 9.2.Opus.exe.2ea1844.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.2ea1844.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.17.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 11.0.22.exe.5f65b6.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 11.0.22.exe.43de6f.19.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 11.0.22.exe.530edf.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 11.0.22.exe.43de6f.2.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 11.0.22.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.c8867b.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 11.0.22.exe.43de6f.13.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 11.0.22.exe.530edf.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 9.2.Opus.exe.5870000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.5870000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 11.0.22.exe.5f65b6.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.d4dd52.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.c8867b.4.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.c8867b.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 11.0.22.exe.43de6f.7.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 11.0.22.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 11.0.22.exe.530edf.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5839748.8.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 6.0.test.exe.da0000.2.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 11.0.22.exe.530edf.22.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.d4dd52.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.c8867b.4.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 11.0.22.exe.530edf.16.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 6.0.test.exe.da0000.3.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5a2fcfe.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 11.0.22.exe.530edf.11.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 15.2.0fd7de5367376231a788872005d7ed4f.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.59c8085.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.unpack, type: UNPACKEDPEMatched rule: Detects Ficker infostealer Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.2.healastounding.exe.3479694.5.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 6.0.test.exe.da0000.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.c8867b.3.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 11.0.22.exe.530edf.4.unpack, type: UNPACKEDPEMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0000002A.00000000.507357595.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0000003B.00000000.627731740.00000000007A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000006.00000002.701971433.0000000001354000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0000001C.00000002.567040014.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000019.00000003.459495184.0000000000673000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000002E.00000000.548907669.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0000002E.00000002.610238464.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000002A.00000002.552899490.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000006.00000002.703770994.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000019.00000003.459275166.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000019.00000003.458681148.000000000067C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000001C.00000002.579383399.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                    Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000019.00000003.458183685.0000000000660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000025.00000000.491609227.00000000002A2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0000001C.00000000.461250332.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 0000001C.00000000.461250332.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
                    Source: 00000024.00000002.674377761.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000024.00000002.673042782.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: Process Memory Space: test.exe PID: 6236, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: Process Memory Space: test.exe PID: 6236, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: Process Memory Space: Opus.exe PID: 3244, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: Process Memory Space: Opus.exe PID: 3244, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\gay.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\gay.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPEDMatched rule: Detects NanoCore Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: C:\Users\user\AppData\Roaming\mediaget.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\mediaget.exe, type: DROPPEDMatched rule: Identify njRat Author: Brian Wallace @botnet_hunter
                    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: Detects NanoCore Author: ditekSHen
                    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPEDMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\test.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: C:\Windows\Help\active_desktop_render.dll, type: DROPPEDMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\Users\user\AppData\Roaming\3.exe, type: DROPPEDMatched rule: DCRat payload Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\3.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\22.exe, type: DROPPEDMatched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPEDMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
                    Source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPEDMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPEDMatched rule: Detects NanoCore Author: ditekSHen
                    PE file has nameless sections
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeCode function: 4_2_009466CB
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeCode function: 4_2_0090576E
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F1D426
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F2D5AE
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F1D523
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F27646
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F529BE
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F56AF4
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F7ABFC
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F73CBE
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F73C4D
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F73DC0
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F73D2F
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F1ED03
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F2AFA6
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F1CF92
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_01672477
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03205758
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03201D98
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03207FCA
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03207FD0
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03206048
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_0320708A
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03207098
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F4C7BC
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03201DA8
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_0040D390
                    Source: C:\Users\user\AppData\Roaming\gay.exeCode function: 8_2_000D6B5E
                    Source: Pluto Panel.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Pluto Panel.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Pluto Panel.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: 0fd7de5367376231a788872005d7ed4f.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: 0fd7de5367376231a788872005d7ed4f.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: 0fd7de5367376231a788872005d7ed4f.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: 0fd7de5367376231a788872005d7ed4f.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ___11.19.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: C:\Users\user\AppData\Roaming\4.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
                    Source: C:\Users\user\AppData\Roaming\4.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
                    Source: C:\Users\user\AppData\Roaming\4.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
                    Source: C:\Users\user\AppData\Roaming\4.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
                    Source: C:\Users\user\AppData\Roaming\4.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
                    Source: C:\Users\user\AppData\Roaming\4.exeSection loaded: dxgidebug.dll
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: RIP_YOUR_PC_LOL.exe, type: SAMPLEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.d4dd52.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.c8867b.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 11.0.22.exe.5f65b6.17.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 5.2.Pluto Panel.exe.36b9cb4.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 6.2.test.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 5.2.Pluto Panel.exe.3b3a1c4.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 5.2.Pluto Panel.exe.7700000.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 11.0.22.exe.5f65b6.23.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 11.0.22.exe.530edf.22.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 11.0.22.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 11.0.22.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 6.0.test.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 9.2.Opus.exe.2ea1844.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.2ea1844.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.2ea1844.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.17.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 11.0.22.exe.5f65b6.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 11.0.22.exe.43de6f.19.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 11.0.22.exe.530edf.16.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 11.0.22.exe.43de6f.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 11.0.22.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.c8867b.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 11.0.22.exe.43de6f.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 11.0.22.exe.530edf.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 9.2.Opus.exe.5870000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.5870000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.5870000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 11.0.22.exe.5f65b6.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.16.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.d4dd52.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.c8867b.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 5.2.Pluto Panel.exe.7710000.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.c8867b.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 11.0.22.exe.43de6f.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 11.0.22.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 11.0.22.exe.530edf.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5839748.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 6.0.test.exe.da0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 11.0.22.exe.530edf.22.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.d4dd52.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.c8867b.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 11.0.22.exe.530edf.16.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 6.0.test.exe.da0000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5a2fcfe.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 11.0.22.exe.530edf.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.19.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.14.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 15.2.0fd7de5367376231a788872005d7ed4f.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.59c8085.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Ficker author = ditekSHen, description = Detects Ficker infostealer, clamav_sig = MALWARE.Win.Trojan.Ficker
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.2.healastounding.exe.3479694.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 6.0.test.exe.da0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.c8867b.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 11.0.22.exe.530edf.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
                    Source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 5.2.Pluto Panel.exe.3706aac.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPEMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0000002A.00000000.507357595.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0000003B.00000000.627731740.00000000007A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000006.00000002.701971433.0000000001354000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0000001C.00000002.567040014.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000019.00000003.459495184.0000000000673000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000002E.00000000.548907669.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0000002E.00000002.610238464.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000002A.00000002.552899490.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000005.00000002.712472379.0000000007710000.00000004.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000006.00000002.703770994.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000019.00000003.459275166.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000019.00000003.458681148.000000000067C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000001C.00000002.579383399.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                    Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
                    Source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: 00000019.00000003.458183685.0000000000660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
                    Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
                    Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
                    Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
                    Source: C:\Users\user\AppData\Roaming\22.exeFile created: C:\Windows\Help\Winlogon.exe
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: String function: 00F5BA9D appears 35 times
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefreeeim.exe vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamereiudxamcsyuasdx.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamereiudxamcsyuasdx.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamehealastounding.exe4 vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefoampounding.exe, vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamereiudxamcsyuasdx.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamehealastounding.exe4 vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameactive_desktop_launcher.exe, vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000002.696291372.0000000004350000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamebaseline.dll4 vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefreeeim.exe vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameactive_desktop_launcher.exe, vs RIP_YOUR_PC_LOL.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.388706064.0000000005956000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamereiudxamcsyuasdx.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000002.696344828.00000000046D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebaseline.dll4 vs RIP_YOUR_PC_LOL.exe
                    Source: 8f1c8b40c7be588389a8d382040b23bb.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: a.exe.4.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
                    Source: Opus.exe.4.drStatic PE information: Section: .rsrc ZLIB complexity 0.995233050847
                    Source: a.exe.4.drStatic PE information: Section: ZLIB complexity 1.00057768486
                    Source: a.exe.4.drStatic PE information: Section: ZLIB complexity 1.021484375
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile created: C:\Users\user\AppData\Roaming\healastounding.exeJump to behavior
                    Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@84/32@48/5
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: Opus.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: Opus.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: Pluto Panel.exe.0.dr, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: test.exe.4.dr, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                    Source: test.exe.4.dr, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: C:\Users\user\AppData\Roaming\Opus.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
                    Source: RIP_YOUR_PC_LOL.exeVirustotal: Detection: 63%
                    Source: RIP_YOUR_PC_LOL.exeMetadefender: Detection: 33%
                    Source: RIP_YOUR_PC_LOL.exeReversingLabs: Detection: 73%
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe "C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\healastounding.exe "C:\Users\user\AppData\Roaming\healastounding.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\Pluto Panel.exe "C:\Users\user\AppData\Roaming\Pluto Panel.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\test.exe "C:\Users\user\AppData\Roaming\test.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe "C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\gay.exe "C:\Users\user\AppData\Roaming\gay.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\Opus.exe "C:\Users\user\AppData\Roaming\Opus.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\22.exe "C:\Users\user\AppData\Roaming\22.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\aaa.exe "C:\Users\user\AppData\Roaming\aaa.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe "C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeProcess created: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe "C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\4.exe "C:\Users\user\AppData\Roaming\4.exe"
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess created: C:\Users\user\AppData\Roaming\mediaget.exe "C:\Users\user\AppData\Roaming\mediaget.exe"
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess created: C:\Users\user\AppData\Roaming\aaa.exe C:\Users\user\AppData\Roaming\aaa.exe
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\a.exe "C:\Users\user\AppData\Roaming\a.exe"
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add policy name=Block
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\___11.19.exe "C:\Users\user\AppData\Roaming\___11.19.exe"
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe"
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe "C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe"
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filterlist name=Filter1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Opus.exe C:\Users\user\AppData\Roaming\Opus.exe 0
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5D87.tmp
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"
                    Source: C:\Users\user\AppData\Roaming\4.exeProcess created: C:\Users\user\AppData\Roaming\3.exe "C:\Users\user\AppData\Roaming\3.exe"
                    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\___11.19.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe C:\Users\user\AppData\Local\Temp\\svchost.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\mediaget.exe "C:\Users\user\AppData\Roaming\mediaget.exe" ..
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\___11.19.exeProcess created: C:\Users\user\AppData\Local\Temp\svchos.exe C:\Users\user\AppData\Local\Temp\\svchos.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\mediaget.exe "C:\Users\user\AppData\Roaming\mediaget.exe" ..
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe -auto
                    Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k " "
                    Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\AppData\Local\Temp\svchost.exe > nul
                    Source: C:\Windows\SysWOW64\TXPlatforn.exeProcess created: C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe -acsi
                    Source: C:\Users\user\AppData\Roaming\___11.19.exeProcess created: C:\Users\user\AppData\Roaming\HD____11.19.exe C:\Users\user\AppData\Roaming\HD____11.19.exe
                    Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k " "
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\mediaget.exe "C:\Users\user\AppData\Roaming\mediaget.exe" ..
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\healastounding.exe "C:\Users\user\AppData\Roaming\healastounding.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\Pluto Panel.exe "C:\Users\user\AppData\Roaming\Pluto Panel.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe "C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\22.exe "C:\Users\user\AppData\Roaming\22.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\___11.19.exe "C:\Users\user\AppData\Roaming\___11.19.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\test.exe "C:\Users\user\AppData\Roaming\test.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\gay.exe "C:\Users\user\AppData\Roaming\gay.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\Opus.exe "C:\Users\user\AppData\Roaming\Opus.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\aaa.exe "C:\Users\user\AppData\Roaming\aaa.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe "C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\4.exe "C:\Users\user\AppData\Roaming\4.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\a.exe "C:\Users\user\AppData\Roaming\a.exe"
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeProcess created: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe "C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess created: C:\Users\user\AppData\Roaming\mediaget.exe "C:\Users\user\AppData\Roaming\mediaget.exe"
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5D87.tmp
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add policy name=Block
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filterlist name=Filter1
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess created: C:\Users\user\AppData\Roaming\aaa.exe C:\Users\user\AppData\Roaming\aaa.exe
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe"
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe "C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe"
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\4.exeProcess created: C:\Users\user\AppData\Roaming\3.exe "C:\Users\user\AppData\Roaming\3.exe"
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                    Source: C:\Users\user\AppData\Roaming\Opus.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4896.tmpJump to behavior
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Roaming\test.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\gay.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\gay.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\AppData\Roaming\gay.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Roaming\Opus.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\Opus.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\AppData\Roaming\Opus.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Roaming\aaa.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: Pluto Panel.exe.0.dr, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: test.exe.4.dr, Client/Settings.csBase64 encoded string: 'v6koimo+vF3BpFPktw8BetB7AEEQsjTP+2fUrZBifNQL3VLBnsc6kqaCQyc26UwN+wJnzl3S0KePTZMjcmvKrQ==', 'hTlHatPbydXHCRGS9wyzSyGV3lDBjQwrOqcw8Vu2ZOiS6WdPzcixmQ4HQ74RFBC6IMp/8uc3fwBetM+DvU0ymg==', 'j0OwZXpz3MhzuEDS2rXS7OtK+rzFCsdqLtzyvOufk6Hure4UbTid4lu2DW/pkfNHiHpQdBE7xG8Bv5C2vrXdr/5RPFWbYiikokKMgmOOwECq/gZBf/xMN+tqo8T6IdU11WyFn3e8GnRhXu4krLuUdn5GTGqK6YvkOcHIGi0V23f3whp8j938+2uBQF81gh1eZWnmX/Adg6NUzc6zZJbcT37Wlmkuxhx5HSsng6R9wfaCltxt2HGJ42LlJ8TQbUyyb37z06u+evh46N7yQC4/UICXf3SrJDdCJboqe5Ypj8W06qI5hiwDfXPTsZ9mwP2j92HVxADP4ke+qmuBOq39Cl+4d2eg8YQ5LPyEUqP57Vz1hojVHczX+cSSDrgSYGkQLtqdXvuKVppXmewf43sp1MWfupRJvsdEQhLFeZTq6AshNzRK9SuEWkX5AKvbrJTH84dzebrFhJkVx72bCCumcBsNNpP5MhZRpzer5iTpj+qXdEI2hoCK2iJ+1d7HZn3Tt4tpB0Sl8SJFiyKH9JKLLU9Ugr4m4ZaQU4mYB8gt5X89QNbs8D3pXdZWjrvkSVgt/xlTZxBgdBOYrg+tr/HngCfi2Kx7We4/z3pOM1h4XdRhylcvqJFLV+fH1p0xtxdh7pZHcM+/iv/ylB0tUfL7LZIAvteXH8p16IwcMGDDnL48QST2NGU81IG2NnG/YF1gqh6IoaUHcpS4YnNjsMR6WynNEU1n8vDXm2xKtpkI/3JvWifxuFywE4AV+DhPDNvLgJDnuM/LWE0mjf4wTzJd2qy5dHFoP63Rmym9k6tx6RSl7KogPRCKDI37Q3UU94ncZmroK93aTqNdXwIQ3M+/SYBmGFycVwK14ZxpxiZaPn1tAOyyqlHmoHZ/wvu0wRvXzLz0Yz8MsH/Oqe0VF8lJfkkI/vsaK6CsxSNIs10/SRoNqQhE25Qk2t0bsAKtoo07wPSz8h+kcKu7fMWDJi1e7zwCVDbjlv4G0AFU+KDGNPw14skoh4OGjb1BDYcGQvDjBK0EcLFXoVjiHlX4DBijgXJ310SrWh1oPfKL1lVrT/1+sahb2XLr5PHq+NCaap83vpON2oI71gktByS1YzDS2MZpTyOga9UTpqFvPXixvGNwfpSIPzGtNnAyDy07rcNNFNUjf8SHt13DhfyhysusoxI3Vra7S1NrFAid0tga5J5wZWKWq4HSnxF+7ETKLAZ1iMem9hX6ncUPHP1UVvVvK8mlnSq4qqqYosgz+QjWvuxTJYh7iLQ0KtGI/ly6gAsYLVEmmY4p4Ri/N7adzTZ+YAr3Y1bourrzZPFe7r+CWC7COQ5iu4qtpnNRkYr5vO5o24CHP7wLR8SwUvEy2XNOv5iezPcVfoxXa5k60+Hv2nItSqPHhCkm4PwIByj03RpGq5NvvtlFY93o/p6lat4Y5l5z4Y4udrtFQ8tYxeEbz+x1vTcz7+a3wCUPVqANqffoDgpHv/FJTCVyGo4GNuSpwVTtunblyRDcvbSjOvWXa05ALD6DFRJUd6oHeqY8qCwsIvO6ZYJ4NMndlV4Irvu2aTCa5dNAQoJwvrsww0UAM06iHepyACy0q6F8M66xRD3gRbH3IEz6gKk+SH81VEtooboOyhs0CiS5rwKMKYfiPC3vF6K5O1HkVoDaE7wWZwlSrRPc0EVgnGT/1lAOh+/ZLSMeXZavkeK1h0PiKFlPaWvBtv0+U3QPIfvt7WcXNIwY82qp9CxIzZqR6qeSyRg9KIzguztTd0Pknanz01eZBJXdjbBx7LP2hV3+rVE9Skwt0Ss3pIq9vvXMIzCce6382xRieRGZz7wBytnF+HchtEfqMgldBSml2T1PuiXPVEXpk851eM/5RgIotedQih/SZPQ0lBV1wsEZsfrRHjuHtD6I7tUjs6u5nN/txypJ8B37JG0y4ThtSJVcwQ4svfyo7qf/u3B+iIOyBUndZU899ENgsPeLcP4rw5Cs25vZ1CyhyT4jcHd1Z5ecFIscsDapgEcCvt8iHtL+soZMyG1Q94SguIxPVcR2W8YzFQoHw4E99uqs3x9okCcR6KdqO2Ll0Rqz3RIyibMvjkNgxXN3YTCMj3oe6SJ4ahNQYBYimoHq6RhAxx4diDP6FiSOvlOv9PAwC/lyi20FlBnMiFY/cOXh9yIQur5DwvWkF6cYNEvXpc461c2vtr35NeQ4VJfKm/XLGQ33eZyImy/zmOej2N+A9mzRmYIDVJ2gu6UIBU3g/GzBybXtZ26LH0ISGmT40ytAUKieRUHNJ5MwbNI3tHRH6PR5eozKWogp/cnBGk+XpvrHF+FZ/JmupkxMHqoFi3dvT6C/yyHsQyfqkoQdmpI=', 'PNacpggE943C4yIAxkJJwCUgYrYxQZpenLl1Bqh8BnvgpkUJXkpgRwU5h3mt3Cs4MAyKzMVHoAd0U+v8e9UB1A==', 'Sg/SHVSZ/qR5y5EwqyWIRqfVY6rjte36C54KgrTe3F7ZT2bUzQddbjrFaSGUdi+PF9Qsi/pnRMxLVP5LZxs8og==', 'sgQCpAYNGXYv9lrcYNb6mSAEdN16LkgynbAWXkrPD7KnesLckmg3bIeh1bBoqD4eudmpegWPTJfkJgwn/f88lg==', 'GnRcTByJoC136DtixgIf1zT5HUVC8VfztoP4k7zA7bYXSoona8laBJOFq51jtcEvabtT740ceMv5a1woOTDVtA=='
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.csBase64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                    Source: C:\Users\user\AppData\Roaming\Opus.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c5a0b6d8-d1f7-45cd-943b-d5fda411e988}
                    Source: C:\Users\user\AppData\Roaming\test.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                    Source: C:\Users\user\AppData\Roaming\Opus.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeMutant created: \Sessions\1\BaseNamedObjects\serhershesrhsfesrf
                    Source: Pluto Panel.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: Pluto Panel.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: Pluto Panel.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: Pluto Panel.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: Opus.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: Opus.exe.4.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
                    Source: Opus.exe.4.dr, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
                    Source: C:\Users\user\AppData\Roaming\test.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\test.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: RIP_YOUR_PC_LOL.exeStatic file information: File size 23633920 > 1048576
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1689600
                    Source: RIP_YOUR_PC_LOL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, healastounding.exe, healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, 4.exe, 00000010.00000000.446983407.0000000001203000.00000002.00000001.01000000.0000000E.sdmp, 4.exe, 00000010.00000002.519990989.0000000001203000.00000002.00000001.01000000.0000000E.sdmp
                    Source: Binary string: D:\buildbot\slave1\desktop_screen\build\bin\active_desktop_launcher.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmp
                    Source: Binary string: C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000000.407475822.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000002.465903756.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 0000000F.00000000.436842136.000000000041E000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: ]C:\nutideyebibede\soy\gebetugito\meliyo zodoz.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000000.407475822.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 00000007.00000002.465903756.000000000041E000.00000002.00000001.01000000.00000008.sdmp, 0fd7de5367376231a788872005d7ed4f.exe, 0000000F.00000000.436842136.000000000041E000.00000002.00000001.01000000.00000008.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Pluto Panel.exe, 00000005.00000002.710948269.0000000003B3A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712472379.0000000007710000.00000004.00000001.00040000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.706244077.0000000003705000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: RIP_YOUR_PC_LOL.exe, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: healastounding.exe.0.dr, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Pluto Panel.exe.0.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Pluto Panel.exe.0.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Pluto Panel.exe.0.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Pluto Panel.exe.0.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: test.exe.4.dr, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                    Source: gay.exe.4.dr, OK.cs.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Opus.exe.4.dr, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: Opus.exe.4.dr, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.healastounding.exe.900000.4.unpack, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.2.healastounding.exe.900000.0.unpack, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.healastounding.exe.900000.0.unpack, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.healastounding.exe.900000.12.unpack, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 4.0.healastounding.exe.900000.8.unpack, Program.cs.Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F80712 push eax; ret
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F80712 push eax; ret
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F5BA9D push eax; ret
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_00F5BA9D push eax; ret
                    Source: C:\Users\user\AppData\Roaming\test.exeCode function: 6_2_00DA2F81 push eax; ret
                    Source: C:\Users\user\AppData\Roaming\test.exeCode function: 6_2_00DA7201 push es; iretd
                    Source: C:\Users\user\AppData\Roaming\test.exeCode function: 6_2_00DA4122 push eax; ret
                    Source: C:\Users\user\AppData\Roaming\test.exeCode function: 6_2_00DA2A66 push 0000003Eh; retn 0000h
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_00416480 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                    Source: a.exe.4.drStatic PE information: 0x85C84FCD [Thu Feb 14 23:29:17 2041 UTC]
                    Source: 4.exe.4.drStatic PE information: section name: .didat
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: a.exe.4.drStatic PE information: section name:
                    Source: a.exe.4.drStatic PE information: section name: .uxD5Xzb
                    Source: a.exe.4.drStatic PE information: section name: .adata
                    Source: Opus.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x361f1
                    Source: healastounding.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x38fcef
                    Source: test.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x12c3f
                    Source: aaa.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x2b8ea
                    Source: 4.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x8ea8d
                    Source: a.exe.4.drStatic PE information: real checksum: 0x36412d should be: 0x179cea
                    Source: Pluto Panel.exe.0.drStatic PE information: real checksum: 0x0 should be: 0xe3f4e
                    Source: gay.exe.4.drStatic PE information: real checksum: 0x0 should be: 0x17231
                    Source: 0fd7de5367376231a788872005d7ed4f.exe.0.drStatic PE information: real checksum: 0x8cb64 should be: 0x8bd88
                    Source: 22.exe.0.drStatic PE information: real checksum: 0x0 should be: 0x2047ff
                    Source: C:\Users\user\AppData\Roaming\4.exeFile created: C:\Users\user\AppData\Roaming\__tmp_rar_sfx_access_check_21517828
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.23229435769
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.79704182216
                    Source: initial sampleStatic PE information: section name: entropy: 7.99417258092
                    Source: initial sampleStatic PE information: section name: entropy: 7.59206430894
                    Source: initial sampleStatic PE information: section name: .uxD5Xzb entropy: 7.91678806903
                    Source: Opus.exe.4.dr, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
                    Source: Opus.exe.4.dr, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile created: C:\Users\user\AppData\Roaming\Pluto Panel.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeFile created: C:\Users\user\AppData\Roaming\Opus.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeFile created: C:\Users\user\AppData\Roaming\aaa.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeFile created: C:\Users\user\AppData\Roaming\a.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeFile created: C:\Users\user\AppData\Roaming\test.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\gay.exeFile created: C:\Users\user\AppData\Roaming\mediaget.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeFile created: C:\Users\user\AppData\Roaming\gay.exeJump to dropped file
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile created: C:\Users\user\AppData\Roaming\healastounding.exeJump to dropped file
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile created: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeJump to dropped file
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile created: C:\Users\user\AppData\Roaming\___11.19.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeFile created: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeFile created: C:\Users\user\AppData\Roaming\4.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeFile created: C:\Windows\Cursors\WUDFhosts.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeFile created: C:\Windows\Help\Winlogon.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeFile created: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeFile created: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exeJump to dropped file
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeFile created: C:\Users\user\AppData\Roaming\22.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\Opus.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeFile created: C:\Windows\Help\active_desktop_render.dllJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\4.exeFile created: C:\Users\user\AppData\Roaming\3.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeFile created: C:\Windows\Cursors\WUDFhosts.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeFile created: C:\Windows\Help\Winlogon.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeFile created: C:\Windows\Help\active_desktop_render.dllJump to dropped file

                    Boot Survival

                    barindex
                    Yara detected AsyncRAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.59c8085.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: test.exe PID: 6236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\test.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Drops PE files to the startup folder
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exeJump to dropped file
                    Creates autostart registry keys with suspicious names
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a797c6ca3f5e7aff8fa1149c47fe9466
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe
                    Source: C:\Users\user\AppData\Roaming\22.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\KuGouMusic
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe
                    Source: C:\Users\user\AppData\Roaming\22.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\KuGouMusic
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a797c6ca3f5e7aff8fa1149c47fe9466
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run a797c6ca3f5e7aff8fa1149c47fe9466

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\AppData\Roaming\Opus.exeFile opened: C:\Users\user\AppData\Roaming\Opus.exe:Zone.Identifier read attributes | delete
                    Source: C:\Users\user\AppData\Roaming\aaa.exeFile opened: C:\Users\user\AppData\Roaming\aaa.exe:Zone.Identifier read attributes | delete
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\test.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\4.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Yara detected AsyncRAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.59c8085.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: test.exe PID: 6236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\test.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, healastounding.exe, healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, healastounding.exe, 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, test.exe, test.exe, 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe TID: 7116Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\healastounding.exe TID: 5312Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe TID: 3440Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\gay.exe TID: 5732Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Opus.exe TID: 3456Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Opus.exe TID: 6076Thread sleep time: -40000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\aaa.exe TID: 5664Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Opus.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\gay.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Opus.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\aaa.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeAPI coverage: 9.9 %
                    Source: C:\Users\user\AppData\Roaming\22.exeDropped PE file which has not been started: C:\Windows\Cursors\WUDFhosts.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeDropped PE file which has not been started: C:\Windows\Help\Winlogon.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\22.exeDropped PE file which has not been started: C:\Windows\Help\active_desktop_render.dllJump to dropped file
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\gay.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Opus.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\aaa.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeAPI call chain: ExitProcess graph end node
                    Source: test.exe, 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: vmware
                    Source: 4.exe, 00000010.00000002.549082146.0000000005A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
                    Source: test.exe, 00000006.00000002.703368085.0000000001410000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
                    Source: healastounding.exeBinary or memory string: \VMWare\
                    Source: 8f1c8b40c7be588389a8d382040b23bb.exe, 0000000E.00000000.431135181.00000000004BD000.00000020.00000001.01000000.0000000D.sdmpBinary or memory string: \VMWare\F\oracle\virtualbox guest additions\
                    Source: 4.exe, 00000010.00000002.549082146.0000000005A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: Opus.exe, 00000009.00000002.702218807.0000000000F66000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.496866786.0000000001375000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.497883150.0000000001375000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.628943964.0000000001375000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.641573561.0000000001374000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.499366565.0000000001375000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.536070108.0000000001375000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.518432103.0000000001375000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.645223386.0000000001374000.00000004.00000020.00020000.00000000.sdmp, mediaget.exe, 00000011.00000003.501699554.0000000001375000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: aaa.exe, 0000000C.00000002.458844469.0000000002915000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware svga ii3vm additions s3 trio32/64
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\AppData\Roaming\test.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_00416480 LoadLibraryA,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_0040EE60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeMemory allocated: page read and write | page guard
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_0040EE60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_00404770 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_0041A780 _memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\aaa.exeMemory written: C:\Users\user\AppData\Roaming\aaa.exe base: 3E0000 value starts with: 4D5A
                    Sample uses process hollowing technique
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeSection unmapped: unknown base address: 400000
                    .NET source code references suspicious native API functions
                    Source: Pluto Panel.exe.0.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: Pluto Panel.exe.0.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: gay.exe.4.dr, OK.csReference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll')
                    Source: gay.exe.4.dr, kl.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32'), ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                    Source: Opus.exe.4.dr, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 5.0.Pluto Panel.exe.f10000.8.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 5.2.Pluto Panel.exe.f10000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 5.0.Pluto Panel.exe.f10000.4.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                    Source: 5.0.Pluto Panel.exe.f10000.12.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\healastounding.exe "C:\Users\user\AppData\Roaming\healastounding.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\Pluto Panel.exe "C:\Users\user\AppData\Roaming\Pluto Panel.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe "C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\22.exe "C:\Users\user\AppData\Roaming\22.exe"
                    Source: C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exeProcess created: C:\Users\user\AppData\Roaming\___11.19.exe "C:\Users\user\AppData\Roaming\___11.19.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\test.exe "C:\Users\user\AppData\Roaming\test.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\gay.exe "C:\Users\user\AppData\Roaming\gay.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\Opus.exe "C:\Users\user\AppData\Roaming\Opus.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\aaa.exe "C:\Users\user\AppData\Roaming\aaa.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe "C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\4.exe "C:\Users\user\AppData\Roaming\4.exe"
                    Source: C:\Users\user\AppData\Roaming\healastounding.exeProcess created: C:\Users\user\AppData\Roaming\a.exe "C:\Users\user\AppData\Roaming\a.exe"
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeProcess created: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe "C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
                    Source: C:\Users\user\AppData\Roaming\gay.exeProcess created: C:\Users\user\AppData\Roaming\mediaget.exe "C:\Users\user\AppData\Roaming\mediaget.exe"
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp4896.tmp
                    Source: C:\Users\user\AppData\Roaming\Opus.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmp5D87.tmp
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add policy name=Block
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filterlist name=Filter1
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\aaa.exeProcess created: C:\Users\user\AppData\Roaming\aaa.exe C:\Users\user\AppData\Roaming\aaa.exe
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe "C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe"
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe "C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe"
                    Source: C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exeProcess created: unknown unknown
                    Source: C:\Users\user\AppData\Roaming\4.exeProcess created: C:\Users\user\AppData\Roaming\3.exe "C:\Users\user\AppData\Roaming\3.exe"
                    Source: mediaget.exe, 00000011.00000002.705065903.0000000003315000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program managerH
                    Source: Opus.exe, 00000009.00000002.706154944.000000000307A000.00000004.00000800.00020000.00000000.sdmp, Opus.exe, 00000009.00000002.706141297.0000000003078000.00000004.00000800.00020000.00000000.sdmp, Opus.exe, 00000009.00000002.702218807.0000000000F66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: mediaget.exe, 00000011.00000002.705065903.0000000003315000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program manager.
                    Source: mediaget.exe, 00000011.00000002.704209643.00000000032B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: program manager
                    Source: mediaget.exe, 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RhProgram Manager$
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\test.exeQueries volume information: C:\Users\user\AppData\Roaming\test.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exeCode function: 7_2_0040AE40 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Yara detected AsyncRAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5a556c1.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1fdd5e1.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.206ac1d.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.59c8085.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.0.test.exe.da0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.596a627.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: test.exe PID: 6236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\test.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Uses netsh to modify the Windows network and firewall settings
                    Source: C:\Users\user\AppData\Roaming\22.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh ipsec static add policy name=Block
                    Modifies the windows firewall
                    Source: C:\Users\user\AppData\Roaming\mediaget.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Roaming\mediaget.exe" "mediaget.exe" ENABLE
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: acs.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vsserv.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: avcenter.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: kxetray.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: avp.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: cfp.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KSafeTray.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: rtvscan.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 360tray.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ashDisp.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: TMBMSRV.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: avgwdsvc.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AYAgent.aye
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QUHLPSVC.EXE
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RavMonD.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Mcshield.exe
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: K7TSecurity.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 00000014.00000003.641078460.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected MailPassView
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.4698e10.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.4698e10.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f6fa72.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Pluto Panel.exe PID: 4236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPED
                    Yara detected HawkEye Keylogger
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Pluto Panel.exe PID: 4236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPED
                    Yara detected Azorult Info Stealer
                    Source: Yara matchFile source: 00000019.00000003.459495184.0000000000673000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.459275166.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.458681148.000000000067C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.458183685.0000000000660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Nanocore RAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.567040014.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.579383399.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000000.461250332.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.674377761.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.673042782.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Opus.exe PID: 3244, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Yara detected DCRat
                    Source: Yara matchFile source: 00000025.00000000.491609227.00000000002A2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\3.exe, type: DROPPED
                    Yara detected Generic Dropper
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Yara detected Azorult
                    Source: Yara matchFile source: 00000019.00000003.459495184.0000000000673000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.459275166.0000000000698000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.458681148.000000000067C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.458183685.0000000000660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Njrat
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000000.507357595.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000003B.00000000.627731740.00000000007A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000000.548907669.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000002.610238464.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000002.552899490.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: gay.exe PID: 1104, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mediaget.exe PID: 4688, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\gay.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mediaget.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Yara detected Mimikatz
                    Source: Yara matchFile source: 00000032.00000002.658863684.0000000010101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000035.00000002.705801059.0000000010101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.598333947.0000000010101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Ficker Stealer
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.17.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.15.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.16.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.18.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.19.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.0fd7de5367376231a788872005d7ed4f.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.468272297.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected WebBrowserPassView password recovery tool
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f19c0d.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.46b1030.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.15.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.4698e10.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.46b1030.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Pluto Panel.exe PID: 4236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected RedLine Stealer
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 00000014.00000003.641078460.00000000035A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected HawkEye Keylogger
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f18208.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Pluto Panel.exe.f19c0d.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9fa0eb.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f6fa72.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5731eca.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f10000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f19c0d.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.9f86e6.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.Pluto Panel.exe.f18208.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.9f86e6.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.1.RIP_YOUR_PC_LOL.exe.9f86e6.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RIP_YOUR_PC_LOL.exe PID: 6880, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Pluto Panel.exe PID: 4236, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, type: DROPPED
                    Detected Nanocore Rat
                    Source: healastounding.exeString found in binary or memory: NanoCore.ClientPluginHost
                    Source: healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: healastounding.exe, 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: Opus.exe, 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: Opus.exe, 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: Opus.exe, 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
                    Source: Opus.exe, 00000009.00000002.703475232.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: Opus.exe, 00000009.00000002.703475232.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
                    Source: Opus.exe, 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Source: Opus.exe, 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
                    Source: Opus.exe, 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
                    Yara detected Nanocore RAT
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 9.2.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b00000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.4474268.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ed9c96.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3edeacc.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.3ee30f5.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Opus.exe.5b04629.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Opus.exe.840000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.475797127.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.567040014.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.491059532.0000000000272000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.629223400.0000000000572000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.579383399.0000000004081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.514866763.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000000.461250332.0000000000922000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.674377761.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.673042782.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Opus.exe PID: 3244, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Opus.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Yara detected DCRat
                    Source: Yara matchFile source: 00000025.00000000.491609227.00000000002A2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\3.exe, type: DROPPED
                    Detected njRat
                    Source: gay.exe.4.dr, OK.cs.Net Code: njRat config detected
                    Yara detected Njrat
                    Source: Yara matchFile source: RIP_YOUR_PC_LOL.exe, type: SAMPLE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3479694.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.3474284.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.14.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mediaget.exe.ab0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.15.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.34865dc.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1d1caed.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5707591.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce9ce8.12.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mediaget.exe.ab0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.0.gay.exe.d0000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.13.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.3.RIP_YOUR_PC_LOL.exe.5725596.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.935129.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.902324.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.1ce97c4.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.95312e.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.healastounding.exe.900000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000000.507357595.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000003B.00000000.627731740.00000000007A2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000000.548907669.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002E.00000002.610238464.0000000000722000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000002A.00000002.552899490.0000000000FB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: healastounding.exe PID: 3572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: gay.exe PID: 1104, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mediaget.exe PID: 4688, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\gay.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\mediaget.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\healastounding.exe, type: DROPPED
                    Detected HawkEye Rat
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: Pluto Panel.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                    Source: Pluto Panel.exeString found in binary or memory: HawkEyeKeylogger
                    Source: Pluto Panel.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                    Source: Pluto Panel.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                    Source: Pluto Panel.exe, 00000005.00000002.710776976.0000000003B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HqA@HawkEye_Keylogger_Stealer_Records_813435 3.8.2022 6:03:10 PM.txt
                    Source: Pluto Panel.exe, 00000005.00000002.710776976.0000000003B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Hq\[ftp://files.000webhost.com/HawkEye_Keylogger_Stealer_Records_813435 3.8.2022 6:03:10 PM.txt
                    Source: Pluto Panel.exe, 00000005.00000002.710776976.0000000003B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://files.000webhost.com/HawkEye_Keylogger_Stealer_Records_813435%203.8.2022%206:03:10%20PM.txt
                    Source: Pluto Panel.exe, 00000005.00000002.710776976.0000000003B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Hqbaftp://files.000webhost.com/HawkEye_Keylogger_Stealer_Records_813435%203.8.2022%206:03:10%20PM.txt
                    Source: Pluto Panel.exe, 00000005.00000002.710776976.0000000003B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HqBA/HawkEye_Keylogger_Stealer_Records_813435 3.8.2022 6:03:10 PM.txt
                    Source: Pluto Panel.exe, 00000005.00000002.710776976.0000000003B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HqA@HawkEye_Keylogger_Stealer_Records_813435 3.8.2022 6:03:10 PM.txtd8
                    Source: Pluto Panel.exe, 00000005.00000002.710776976.0000000003B1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HqHGSTOR HawkEye_Keylogger_Stealer_Records_813435 3.8.2022 6:03:10 PM.txt
                    Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                    Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                    Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                    Source: Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                    Source: Pluto Panel.exe, 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Hq'&HawkEye_Keylogger_Execution_Confirmed_
                    Source: Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HawkEyeKeylogger
                    Source: Pluto Panel.exe, 00000005.00000002.706244077.0000000003705000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Hq#"HawkEye_Keylogger_Stealer_Records_
                    Yara detected Ficker Stealer
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.17.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.15.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.16.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.18.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.19.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.0.0fd7de5367376231a788872005d7ed4f.exe.400000.14.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 15.2.0fd7de5367376231a788872005d7ed4f.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.468272297.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03230A8E listen,
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03230E9E bind,
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03230E6B bind,
                    Source: C:\Users\user\AppData\Roaming\Pluto Panel.exeCode function: 5_2_03230A50 listen,

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    1
                    Replication Through Removable Media                    		12
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		21
                    Disable or Modify Tools                    		121
                    Input Capture                    		1
                    System Time Discovery                    		1
                    Replication Through Removable Media                    		11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Ingress Tool Transfer                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Shared Modules                    		2
                    Windows Service                    		2
                    Windows Service                    		11
                    Deobfuscate/Decode Files or Information                    		LSASS Memory1
                    Peripheral Device Discovery                    		Remote Desktop Protocol121
                    Input Capture                    		Exfiltration Over Bluetooth1
                    Encrypted Channel                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain Accounts2
                    Scheduled Task/Job                    		2
                    Scheduled Task/Job                    		212
                    Process Injection                    		141
                    Obfuscated Files or Information                    		Security Account Manager1
                    File and Directory Discovery                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Non-Standard Port                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)221
                    Registry Run Keys / Startup Folder                    		2
                    Scheduled Task/Job                    		15
                    Software Packing                    		NTDS14
                    System Information Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer3
                    Remote Access Software                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon Script221
                    Registry Run Keys / Startup Folder                    		1
                    Timestomp                    		LSA Secrets1
                    Query Registry                    		SSHKeyloggingData Transfer Size Limits2
                    Non-Application Layer Protocol                    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    DLL Side-Loading                    		Cached Domain Credentials221
                    Security Software Discovery                    		VNCGUI Input CaptureExfiltration Over C2 Channel112
                    Application Layer Protocol                    		Jamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items22
                    Masquerading                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job21
                    Virtualization/Sandbox Evasion                    		Proc Filesystem21
                    Virtualization/Sandbox Evasion                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)212
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    Remote System Discovery                    		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                    Hidden Files and Directories                    		Network Sniffing1
                    System Network Configuration Discovery                    		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 585264 Sample: RIP_YOUR_PC_LOL.exe Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 78 yabynennet.xyz 2->78 80 whatismyipaddress.com 2->80 82 13 other IPs or domains 2->82 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for dropped file 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 36 other signatures 2->102 9 RIP_YOUR_PC_LOL.exe 9 2->9         started        signatures3 process4 file5 56 C:\Users\user\AppData\...\healastounding.exe, PE32 9->56 dropped 58 C:\Users\user\AppData\Roaming\___11.19.exe, PE32 9->58 dropped 60 C:\Users\user\AppData\...\Pluto Panel.exe, PE32 9->60 dropped 62 3 other malicious files 9->62 dropped 12 healastounding.exe 11 9->12         started        16 22.exe 9->16         started        18 0fd7de5367376231a788872005d7ed4f.exe 9->18         started        20 Pluto Panel.exe 4 9->20         started        process6 file7 64 C:\Users\user\AppData\Roaming\test.exe, PE32 12->64 dropped 66 C:\Users\user\AppData\Roaming\gay.exe, PE32 12->66 dropped 68 C:\Users\user\AppData\Roaming\aaa.exe, PE32 12->68 dropped 76 5 other malicious files 12->76 dropped 126 Antivirus detection for dropped file 12->126 128 Machine Learning detection for dropped file 12->128 22 gay.exe 1 5 12->22         started        26 Opus.exe 1 13 12->26         started        29 8f1c8b40c7be588389a8d382040b23bb.exe 12->29         started        33 3 other processes 12->33 70 C:\Windows\Help\active_desktop_render.dll, PE32 16->70 dropped 72 C:\Windows\Help\Winlogon.exe, PE32 16->72 dropped 74 C:\Windows\Cursors\WUDFhosts.exe, PE32+ 16->74 dropped 130 Multi AV Scanner detection for dropped file 16->130 132 Uses netsh to modify the Windows network and firewall settings 16->132 134 May check the online IP address of the machine 18->134 31 0fd7de5367376231a788872005d7ed4f.exe 18->31         started        signatures8 process9 dnsIp10 42 C:\Users\user\AppData\Roaming\mediaget.exe, PE32 22->42 dropped 112 Antivirus detection for dropped file 22->112 114 Machine Learning detection for dropped file 22->114 35 mediaget.exe 22->35         started        86 172.98.92.42, 49773, 49776, 49778 TOTAL-SERVER-SOLUTIONSUS United States 26->86 44 C:\Program Files (x86)\...\dhcpmon.exe, PE32 26->44 dropped 46 C:\Users\user\AppData\Roaming\...\run.dat, data 26->46 dropped 48 C:\Users\user\AppData\Local\...\tmp4896.tmp, XML 26->48 dropped 116 Uses schtasks.exe or at.exe to add and modify task schedules 26->116 118 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->118 50 C:\Users\user\AppData\...\FFDvbcrdfqs.exe, PE32 29->50 dropped 52 C:\Users\user\AppData\Local\...\Dcvxaamev.exe, PE32 29->52 dropped 120 Multi AV Scanner detection for dropped file 29->120 122 Sample uses process hollowing technique 29->122 88 80.87.192.115, 49771, 80 THEFIRST-ASRU Russian Federation 31->88 90 api.ipify.org.herokudns.com 52.20.78.240, 49770, 80 AMAZON-AESUS United States 31->90 92 api.ipify.org 31->92 94 gfhhjgh.duckdns.org 179.13.1.253, 8050 ColombiaMovilCO Colombia 33->94 54 C:\Users\user\AppData\Roaming\3.exe, PE32 33->54 dropped 124 Injects a PE file into a foreign processes 33->124 file11 signatures12 process13 dnsIp14 84 kazya1.hopto.org 41.249.51.34, 1470 MT-MPLSMA Morocco 35->84 40 C:\...\a797c6ca3f5e7aff8fa1149c47fe9466.exe, PE32 35->40 dropped 104 Antivirus detection for dropped file 35->104 106 Protects its processes via BreakOnTermination flag 35->106 108 Machine Learning detection for dropped file 35->108 110 3 other signatures 35->110 file15 signatures16

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    RIP_YOUR_PC_LOL.exe63%VirustotalBrowse
                    RIP_YOUR_PC_LOL.exe33%MetadefenderBrowse
                    RIP_YOUR_PC_LOL.exe74%ReversingLabsByteCode-MSIL.Trojan.Remcos
                    RIP_YOUR_PC_LOL.exe100%AviraTR/AD.MExecute.lzrac
                    RIP_YOUR_PC_LOL.exe100%AviraSPR/Tool.MailPassView.473
                    RIP_YOUR_PC_LOL.exe100%AviraTR/AD.MalwareCrypter.rrsdk
                    RIP_YOUR_PC_LOL.exe100%AviraTR/Dropper.GR
                    RIP_YOUR_PC_LOL.exe100%AviraTR/Agent.aagt
                    RIP_YOUR_PC_LOL.exe100%AviraTR/AD.RedLineSteal.cjshc
                    RIP_YOUR_PC_LOL.exe100%AviraTR/Dropper.MSIL.Gen7
                    RIP_YOUR_PC_LOL.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Roaming\Opus.exe100%AviraTR/Dropper.MSIL.Gen7
                    C:\Users\user\AppData\Roaming\mediaget.exe100%AviraTR/ATRAPS.Gen
                    C:\Users\user\AppData\Roaming\___11.19.exe100%AviraTR/Dropper.GR
                    C:\Users\user\AppData\Roaming\___11.19.exe100%AviraTR/Agent.aagt
                    C:\Users\user\AppData\Roaming\healastounding.exe100%AviraTR/AD.RedLineSteal.cjshc
                    C:\Users\user\AppData\Roaming\healastounding.exe100%AviraTR/Dropper.MSIL.Gen7
                    C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe100%AviraTR/AD.MalwareCrypter.rrsdk
                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%AviraTR/Dropper.MSIL.Gen7
                    C:\Windows\Help\active_desktop_render.dll100%AviraHEUR/AGEN.1245024
                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe100%AviraTR/ATRAPS.Gen
                    C:\Users\user\AppData\Roaming\gay.exe100%AviraTR/ATRAPS.Gen
                    C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Roaming\22.exe100%AviraHEUR/AGEN.1227810
                    C:\Users\user\AppData\Roaming\Pluto Panel.exe100%AviraTR/AD.MExecute.lzrac
                    C:\Users\user\AppData\Roaming\Pluto Panel.exe100%AviraSPR/Tool.MailPassView.473
                    C:\Windows\Cursors\WUDFhosts.exe100%AviraHEUR/AGEN.1213003
                    C:\Users\user\AppData\Roaming\a.exe100%AviraTR/AD.RedLineSteal.cjshc
                    C:\Users\user\AppData\Roaming\3.exe100%AviraHEUR/AGEN.1203070
                    C:\Users\user\AppData\Roaming\test.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Roaming\aaa.exe100%AviraTR/Dropper.MSIL.Gen
                    C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Opus.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\mediaget.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\___11.19.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\healastounding.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\4.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
                    C:\Windows\Help\active_desktop_render.dll100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\gay.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\22.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Pluto Panel.exe100%Joe Sandbox ML
                    C:\Windows\Cursors\WUDFhosts.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\a.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\3.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\test.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\aaa.exe100%Joe Sandbox ML
                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe85%MetadefenderBrowse
                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%ReversingLabsByteCode-MSIL.Backdoor.NanoCore
                    C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe29%MetadefenderBrowse
                    C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe86%ReversingLabsWin32.Trojan.Fragtor
                    C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe29%MetadefenderBrowse
                    C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe86%ReversingLabsWin32.Infostealer.Azorult
                    C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe29%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe92%ReversingLabsWin32.Ransomware.StopCrypt
                    C:\Users\user\AppData\Roaming\22.exe38%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\22.exe86%ReversingLabsWin32.Trojan.BlackMoon
                    C:\Users\user\AppData\Roaming\3.exe47%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\3.exe82%ReversingLabsByteCode-MSIL.Trojan.SpyNoon
                    C:\Users\user\AppData\Roaming\4.exe17%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\4.exe75%ReversingLabsWin32.Trojan.SpyNoon
                    C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe26%MetadefenderBrowse
                    C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe86%ReversingLabsWin32.Infostealer.Azorult

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    11.0.22.exe.400000.12.unpack100%AviraHEUR/AGEN.1227810Download File
                    9.2.Opus.exe.840000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.4.unpack100%AviraTR/Dropper.GenDownload File
                    7.0.0fd7de5367376231a788872005d7ed4f.exe.400000.2.unpack100%AviraHEUR/AGEN.1242347Download File
                    4.0.healastounding.exe.900000.4.unpack100%AviraTR/AD.RedLineSteal.cjshcDownload File
                    4.0.healastounding.exe.900000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    5.0.Pluto Panel.exe.f10000.8.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    5.0.Pluto Panel.exe.f10000.8.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    9.0.Opus.exe.840000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    5.2.Pluto Panel.exe.f10000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    5.2.Pluto Panel.exe.f10000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.2.unpack100%AviraTR/Dropper.GenDownload File
                    12.2.aaa.exe.2c0000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                    8.0.gay.exe.d0000.2.unpack100%AviraTR/ATRAPS.GenDownload File
                    12.0.aaa.exe.2c0000.2.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                    0.3.RIP_YOUR_PC_LOL.exe.57b3478.6.unpack100%AviraTR/Patched.Ren.GenDownload File
                    7.0.0fd7de5367376231a788872005d7ed4f.exe.400000.3.unpack100%AviraHEUR/AGEN.1242347Download File
                    11.0.22.exe.400000.0.unpack100%AviraHEUR/AGEN.1227810Download File
                    0.2.RIP_YOUR_PC_LOL.exe.5755c99.18.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                    11.0.22.exe.457136.14.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    0.1.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack100%AviraTR/Inject.vcoldiDownload File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.3.unpack100%AviraTR/Dropper.GenDownload File
                    6.2.test.exe.da0000.0.unpack100%AviraTR/Dropper.GenDownload File
                    8.2.gay.exe.d0000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                    12.0.aaa.exe.2c0000.1.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                    4.2.healastounding.exe.900000.0.unpack100%AviraTR/AD.RedLineSteal.cjshcDownload File
                    4.2.healastounding.exe.900000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.1.unpack100%AviraTR/Dropper.GenDownload File
                    4.0.healastounding.exe.900000.0.unpack100%AviraTR/AD.RedLineSteal.cjshcDownload File
                    4.0.healastounding.exe.900000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.6.unpack100%AviraTR/Dropper.GenDownload File
                    9.2.Opus.exe.5b00000.7.unpack100%AviraTR/NanoCore.fadteDownload File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.5.unpack100%AviraTR/Dropper.GenDownload File
                    11.0.22.exe.457136.21.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    0.1.RIP_YOUR_PC_LOL.exe.dda1e2.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.9.unpack100%AviraTR/Dropper.GenDownload File
                    0.2.RIP_YOUR_PC_LOL.exe.e387f7.8.unpack100%AviraTR/Patched.Ren.GenDownload File
                    11.0.22.exe.400000.6.unpack100%AviraHEUR/AGEN.1227810Download File
                    6.0.test.exe.da0000.0.unpack100%AviraTR/Dropper.GenDownload File
                    17.0.mediaget.exe.ab0000.3.unpack100%AviraTR/ATRAPS.GenDownload File
                    0.2.RIP_YOUR_PC_LOL.exe.d587a1.7.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    11.0.22.exe.43de6f.2.unpack100%AviraHEUR/AGEN.1245024Download File
                    17.0.mediaget.exe.ab0000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                    11.0.22.exe.43de6f.19.unpack100%AviraHEUR/AGEN.1245024Download File
                    11.0.22.exe.457136.9.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    9.0.Opus.exe.840000.3.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    11.0.22.exe.400000.18.unpack100%AviraHEUR/AGEN.1227810Download File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.8.unpack100%AviraTR/Dropper.GenDownload File
                    11.0.22.exe.43de6f.13.unpack100%AviraHEUR/AGEN.1245024Download File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.10.unpack100%AviraTR/Dropper.GenDownload File
                    0.0.RIP_YOUR_PC_LOL.exe.9f22de.1.unpack100%AviraTR/Inject.vcoldiDownload File
                    17.2.mediaget.exe.ab0000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.476f20.7.unpack100%AviraTR/Dropper.GenDownload File
                    0.3.RIP_YOUR_PC_LOL.exe.5839748.8.unpack100%AviraHEUR/AGEN.1227785Download File
                    9.0.Opus.exe.840000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    8.0.gay.exe.d0000.1.unpack100%AviraTR/ATRAPS.GenDownload File
                    8.0.gay.exe.d0000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                    11.0.22.exe.457136.3.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    0.0.RIP_YOUR_PC_LOL.exe.ea57bf.9.unpack100%AviraTR/Patched.Ren.GenDownload File
                    4.2.healastounding.exe.4582ffa.11.unpack100%AviraTR/Dropper.GenDownload File
                    11.0.22.exe.43de6f.7.unpack100%AviraHEUR/AGEN.1245024Download File
                    0.0.RIP_YOUR_PC_LOL.exe.e387f7.8.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.0.RIP_YOUR_PC_LOL.exe.dda1e2.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                    12.0.aaa.exe.2c0000.0.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                    0.2.RIP_YOUR_PC_LOL.exe.56d4258.19.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    17.0.mediaget.exe.ab0000.1.unpack100%AviraTR/ATRAPS.GenDownload File
                    0.1.RIP_YOUR_PC_LOL.exe.d587a1.5.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    0.2.RIP_YOUR_PC_LOL.exe.dda1e2.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
                    4.0.healastounding.exe.900000.12.unpack100%AviraTR/AD.RedLineSteal.cjshcDownload File
                    4.0.healastounding.exe.900000.12.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    0.3.RIP_YOUR_PC_LOL.exe.5956fd2.3.unpack100%AviraTR/Dropper.GenDownload File
                    7.0.0fd7de5367376231a788872005d7ed4f.exe.400000.1.unpack100%AviraHEUR/AGEN.1242347Download File
                    6.0.test.exe.da0000.2.unpack100%AviraTR/Dropper.GenDownload File
                    5.0.Pluto Panel.exe.f10000.4.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    5.0.Pluto Panel.exe.f10000.4.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    0.0.RIP_YOUR_PC_LOL.exe.d587a1.6.unpack100%AviraTR/Crypt.XPACK.Gen7Download File
                    5.0.Pluto Panel.exe.f10000.12.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    5.0.Pluto Panel.exe.f10000.12.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    5.0.Pluto Panel.exe.f10000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                    5.0.Pluto Panel.exe.f10000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                    6.0.test.exe.da0000.3.unpack100%AviraTR/Dropper.GenDownload File
                    0.2.RIP_YOUR_PC_LOL.exe.5821276.21.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.1.RIP_YOUR_PC_LOL.exe.e387f7.7.unpack100%AviraTR/Patched.Ren.GenDownload File
                    0.0.RIP_YOUR_PC_LOL.exe.1f6c52e.15.unpack100%AviraTR/Dropper.GenDownload File
                    0.2.RIP_YOUR_PC_LOL.exe.1f6c52e.15.unpack100%AviraTR/Dropper.GenDownload File
                    7.2.0fd7de5367376231a788872005d7ed4f.exe.400000.0.unpack100%AviraHEUR/AGEN.1242347Download File
                    12.0.aaa.exe.2c0000.3.unpack100%AviraTR/Dropper.MSIL.GenDownload File
                    0.2.RIP_YOUR_PC_LOL.exe.9f22de.3.unpack100%AviraTR/Inject.vcoldiDownload File
                    7.2.0fd7de5367376231a788872005d7ed4f.exe.24f15a0.1.unpack100%AviraTR/Patched.Ren.GenDownload File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.4bdf52.11.unpack100%AviraTR/Dropper.GenDownload File
                    0.1.RIP_YOUR_PC_LOL.exe.ea57bf.8.unpack100%AviraTR/Patched.Ren.GenDownload File
                    14.0.8f1c8b40c7be588389a8d382040b23bb.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
                    4.2.healastounding.exe.44c50a8.8.unpack100%AviraTR/Dropper.GenDownload File
                    0.2.RIP_YOUR_PC_LOL.exe.57b42ae.20.unpack100%AviraTR/Patched.Ren.GenDownload File
                    7.0.0fd7de5367376231a788872005d7ed4f.exe.400000.0.unpack100%AviraHEUR/AGEN.1242347Download File
                    17.0.mediaget.exe.ab0000.2.unpack100%AviraTR/ATRAPS.GenDownload File
                    9.0.Opus.exe.840000.2.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
                    8.0.gay.exe.d0000.3.unpack100%AviraTR/ATRAPS.GenDownload File
                    4.0.healastounding.exe.900000.8.unpack100%AviraTR/AD.RedLineSteal.cjshcDownload File
                    4.0.healastounding.exe.900000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.tiro.com=0%Avira URL Cloudsafe
                    http://www.urwpp.derasg0%Avira URL Cloudsafe
                    http://www.fontbureau.comd&0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.sakkal.comm0%Avira URL Cloudsafe
                    http://www.fontbureau.comlicd0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
                    http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                    http://www.tiro.com&0%Avira URL Cloudsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.microsof0%URL Reputationsafe
                    http://www.i.0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Q0%URL Reputationsafe
                    http://www.carterandcone.comY0%Avira URL Cloudsafe
                    http://www.zhongyicts.com.cno.W0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/J0%URL Reputationsafe
                    http://www.zhongyicts.com.cnm0%URL Reputationsafe
                    http://www.carterandcone.comt0%URL Reputationsafe
                    http://www.founder.com.cn/cncz0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.zhongyicts.co0%Avira URL Cloudsafe
                    http://www.fonts.comC0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/)0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/eu-e0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/n0%URL Reputationsafe
                    http://www.zhongyicts.com.cnY0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
                    http://www.fontbureau.comitu0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/g0%URL Reputationsafe
                    http://www.freeeim.com/D0%Avira URL Cloudsafe
                    http://www.tiro.comic0%URL Reputationsafe
                    http://www.founder.com.cn/cncz$0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn$0%URL Reputationsafe
                    http://www.carterandcone.comkC0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/ls0%Avira URL Cloudsafe
                    http://www.fontbureau.comFX0%Avira URL Cloudsafe
                    http://www.urwpp.deMTq0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/C0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/J0%URL Reputationsafe
                    http://www.founder.com.cn/cnT0%URL Reputationsafe
                    http://www.zhongyicts.com.cnts0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.fontbureau.comoX0%Avira URL Cloudsafe
                    http://www.carterandcone.com.0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.founder.com.cn/cnv0%URL Reputationsafe
                    http://www.fontbureau.comrsiv0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.carterandcone.como.W0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/X0%URL Reputationsafe
                    http://www.fontbureau.comonyn0%Avira URL Cloudsafe
                    http://www.fontbureau.comF0%URL Reputationsafe
                    http://www.fontbureau.comsiv/C0%Avira URL Cloudsafe
                    http://www.carterandcone.comTC0%URL Reputationsafe
                    http://ocsp.thawte.com00%URL Reputationsafe
                    http://www.founder.com.cp0%Avira URL Cloudsafe
                    http://www.urwpp.deR0%Avira URL Cloudsafe
                    http://www.fontbureau.comtu0%Avira URL Cloudsafe
                    https://whatismyipaddress.comx&0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.comd0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    kazya1.hopto.org
                    		41.249.51.34
                    		truefalse
                      		high
                      yabynennet.xyz
                      		45.129.99.212
                      		truefalse
                        		high
                        api.ipify.org.herokudns.com
                        		52.20.78.240
                        		truefalse
                          		high
                          whatismyipaddress.com
                          		104.16.154.36
                          		truefalse
                            		high
                            pool.usa-138.com
                            		220.86.85.75
                            		truefalse
                              		high
                              hackerinvasion.f3322.net
                              		127.0.0.1
                              		truefalse
                                		high
                                us-east-1.route-1000.000webhost.awex.io
                                		145.14.144.149
                                		truefalse
                                  		high
                                  gfhhjgh.duckdns.org
                                  		179.13.1.253
                                  		truefalse
                                    		high
                                    files.000webhost.com
                                    		unknown
                                    		unknownfalse
                                      		high
                                      22ssh.com
                                      		unknown
                                      		unknownfalse
                                        		high
                                        123.105.12.0.in-addr.arpa
                                        		unknown
                                        		unknownfalse
                                          		high
                                          store-images.s-microsoft.com
                                          		unknown
                                          		unknownfalse
                                            		high
                                            pretorian.ac.ug
                                            		unknown
                                            		unknownfalse
                                              		high
                                              api.ip.sb
                                              		unknown
                                              		unknownfalse
                                                		high
                                                api.ipify.org
                                                		unknown
                                                		unknownfalse
                                                  		high
                                                  prepepe.ac.ug
                                                  		unknown
                                                  		unknownfalse
                                                    		high

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://api.ipify.org/?format=xmlfalse
                                                      		high

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      http://www.tiro.com=Pluto Panel.exe, 00000005.00000003.445903668.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://www.urwpp.derasgPluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.comd&Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://www.fontbureau.com/designersPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.sajatypeworks.comPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.founder.com.cn/cn/cThePluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.sakkal.commPluto Panel.exe, 00000005.00000003.461535327.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.462539198.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://dl.dropbox.com/s/p84aaz28t0hepul/Pass.exe?dl=0healastounding.exe, healastounding.exe, 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, healastounding.exe, 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, gay.exe, gay.exe, 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, mediaget.exe, 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, mediaget.exe, 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comlicdPluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://whatismyipaddress.com/-RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpfalse
                                                            		high
                                                            http://www.galapagosdesign.com/DPleasePluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/)Pluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.ascendercorp.com/typedesigners.htmlPluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.site.com/logs.phpPluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.tiro.com&Pluto Panel.exe, 00000005.00000003.434485944.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.434712918.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              http://www.urwpp.deDPleasePluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://whatismyipaddress.com/Pluto Panel.exe, Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.nirsoft.net/Pluto Panel.exe, 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmpfalse
                                                                  		high
                                                                  http://www.zhongyicts.com.cnPluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.microsofhealastounding.exefalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.i.Pluto Panel.exe, 00000005.00000003.423909901.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.425696650.0000000005C85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/XPluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/QPluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.carterandcone.comYPluto Panel.exe, 00000005.00000003.440045453.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441297022.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.zhongyicts.com.cno.WPluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/JPluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.zhongyicts.com.cnmPluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.carterandcone.comtPluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.founder.com.cn/cnczPluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.symauth.com/cps0(RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpfalse
                                                                    		high
                                                                    http://www.carterandcone.comlPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://www.cloudflare.com/5xx-error-landingPluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.founder.com.cn/cn/Pluto Panel.exe, 00000005.00000003.434083509.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.433444494.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432944886.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.coPluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/frere-jones.htmlPluto Panel.exe, 00000005.00000003.546333465.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.537131070.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.588600543.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.556315402.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.580567393.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570425092.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.541181738.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.551450060.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.573427389.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.569553799.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.fonts.comCPluto Panel.exe, 00000005.00000003.413330512.0000000005C85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.symauth.com/rpa00RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpfalse
                                                                          		high
                                                                          http://www.jiyu-kobo.co.jp/jp/)Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.jiyu-kobo.co.jp/eu-ePluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.jiyu-kobo.co.jp/nPluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464082407.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464883846.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.zhongyicts.com.cnYPluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/CPluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.jiyu-kobo.co.jp/iPluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.fontbureau.comituPluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.578609523.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.jiyu-kobo.co.jp/gPluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.google.com/accounts/serviceloginPluto Panel.exefalse
                                                                              		high
                                                                              http://www.freeeim.com/DRIP_YOUR_PC_LOL.exe, 00000000.00000000.367521899.0000000000E31000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000002.696610265.00000000057AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.tiro.comicPluto Panel.exe, 00000005.00000003.445903668.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.founder.com.cn/cncz$Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.founder.com.cn/cn$Pluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.carterandcone.comkCPluto Panel.exe, 00000005.00000003.442021245.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441503544.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441818008.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.jiyu-kobo.co.jp/lsPluto Panel.exe, 00000005.00000003.448193641.0000000005C53000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.fontbureau.comFXPluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.fontbureau.com/designersGPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.urwpp.deMTqPluto Panel.exe, 00000005.00000003.646787103.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.fontbureau.com/designers/?Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.jiyu-kobo.co.jp/jp/CPluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.founder.com.cn/cn/bThePluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.fontbureau.com/designers?Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.jiyu-kobo.co.jp/jp/JPluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.452001254.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.founder.com.cn/cnTPluto Panel.exe, 00000005.00000003.433444494.0000000005C7E000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432459781.0000000005C7F000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.432944886.0000000005C7F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.zhongyicts.com.cntsPluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436695339.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.tiro.comPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.goodfont.co.krPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.carterandcone.comPluto Panel.exe, 00000005.00000003.445443819.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437773657.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.440045453.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441297022.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.442021245.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445694166.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445564416.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441503544.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.441818008.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.445818252.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.fontbureau.comoXPluto Panel.exe, 00000005.00000002.711887980.0000000005C50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.carterandcone.com.Pluto Panel.exe, 00000005.00000003.436798009.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.typography.netDPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.fontbureau.com/designershPluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.galapagosdesign.com/staff/dennis.htmPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://fontfabrik.comPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://crl.thawte.com/ThawteTimestampingCA.crl0RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpfalse
                                                                                        		high
                                                                                        http://www.founder.com.cn/cnvPluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://login.yahoo.com/config/loginPluto Panel.exefalse
                                                                                          		high
                                                                                          http://www.fontbureau.comrsivPluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.fonts.comPluto Panel.exe, 00000005.00000003.413764911.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413943860.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413057625.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.413330512.0000000005C85000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.sandoll.co.krPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.urwpp.dePluto Panel.exe, 00000005.00000003.646787103.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.sakkal.comPluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.carterandcone.como.WPluto Panel.exe, 00000005.00000003.439099390.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.439790741.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.438069908.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.jiyu-kobo.co.jp/jp/XPluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.fontbureau.comonynPluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://whatismyipaddress.com/Pluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.apache.org/licenses/LICENSE-2.0Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.fontbureau.comPluto Panel.exe, 00000005.00000003.620876949.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.630356431.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.585753311.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.593605825.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.578609523.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.fontbureau.comFPluto Panel.exe, 00000005.00000003.645268957.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://www.fontbureau.comsiv/CPluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.561809650.0000000005C54000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.carterandcone.comTCPluto Panel.exe, 00000005.00000003.437487558.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437239432.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.437023378.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://ocsp.thawte.com0RIP_YOUR_PC_LOL.exe, 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, RIP_YOUR_PC_LOL.exe, 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, 22.exe, 0000000B.00000000.422804028.000000000042B000.00000008.00000001.01000000.0000000B.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://www.founder.com.cpPluto Panel.exe, 00000005.00000003.431908494.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.urwpp.deRPluto Panel.exe, 00000005.00000003.494373371.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.493190429.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.497114575.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.fontbureau.comtuPluto Panel.exe, 00000005.00000003.570284939.0000000005C5A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://whatismyipaddress.comx&Pluto Panel.exe, 00000005.00000002.706003291.00000000036CE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		low
                                                                                                  http://whatismyipaddress.comPluto Panel.exe, 00000005.00000002.705753147.0000000003691000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.jiyu-kobo.co.jp/jp/Pluto Panel.exe, 00000005.00000003.462837238.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.459485550.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457715522.0000000005C56000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.463380932.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460010944.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464082407.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.457092303.0000000005C5A000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.461983546.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.464883846.0000000005C5B000.00000004.00000800.00020000.00000000.sdmp, Pluto Panel.exe, 00000005.00000003.460984251.0000000005C5B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://www.fontbureau.com/designers/cabarga.htmlfPluto Panel.exe, 00000005.00000003.569553799.0000000005C80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.fontbureau.comaPluto Panel.exe, 00000005.00000002.711887980.0000000005C50000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://www.fontbureau.comdPluto Panel.exe, 00000005.00000003.539432667.0000000005C5C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://www.fontbureau.com/designers/cabarga.htmlNPluto Panel.exe, 00000005.00000002.712090794.0000000006EE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        179.13.1.253
                                                                                                        		gfhhjgh.duckdns.orgColombia
                                                                                                        		27831ColombiaMovilCOfalse
                                                                                                        172.98.92.42
                                                                                                        		unknownUnited States
                                                                                                        		46562TOTAL-SERVER-SOLUTIONSUSfalse
                                                                                                        41.249.51.34
                                                                                                        		kazya1.hopto.orgMorocco
                                                                                                        		36903MT-MPLSMAfalse
                                                                                                        52.20.78.240
                                                                                                        		api.ipify.org.herokudns.comUnited States
                                                                                                        		14618AMAZON-AESUSfalse
                                                                                                        80.87.192.115
                                                                                                        		unknownRussian Federation
                                                                                                        		29182THEFIRST-ASRUfalse

                                                                                                        General Information

                                                                                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                        Analysis ID:585264
                                                                                                        Start date:08.03.2022
                                                                                                        Start time:17:59:22
                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                        Overall analysis duration:0h 15m 34s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:light
                                                                                                        Sample file name:RIP_YOUR_PC_LOL.exe
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                        Number of analysed new started processes analysed:61
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • HDC enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Detection:MAL
                                                                                                        Classification:mal100.troj.adwa.spyw.evad.winEXE@84/32@48/5
                                                                                                        EGA Information:
                                                                                                        • Successful, ratio: 83.3%
                                                                                                        HDC Information:
                                                                                                        • Successful, ratio: 15.8% (good quality ratio 14.3%)
                                                                                                        • Quality average: 70.3%
                                                                                                        • Quality standard deviation: 31.5%
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 83%
                                                                                                        • Number of executed functions: 0
                                                                                                        • Number of non-executed functions: 0
                                                                                                        Cookbook Comments:
                                                                                                        • Adjust boot time
                                                                                                        • Enable AMSI
                                                                                                        • Found application associated with file extension: .exe

                                                                                                        Warnings

                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe
                                                                                                        • Excluded IPs from analysis (whitelisted): 23.211.6.115, 104.26.13.31, 172.67.75.172, 104.26.12.31, 20.190.160.129, 20.190.160.75, 20.190.160.6, 20.190.160.136, 20.190.160.73, 20.190.160.132, 20.190.160.69, 20.190.160.67, 20.42.65.92, 20.82.209.104, 80.67.82.211, 80.67.82.235
                                                                                                        • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, www.tm.lg.prod.aadmsa.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, www.tm.a.prd.aadg.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, login.msa.msidentity.com, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, onedsblobprdeus17.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                                                                                        • Execution Graph export aborted for target test.exe, PID 6236 because it is empty
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report creation exceeded maximum time and may have missing behavior and disassembly information.
                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        18:01:04API Interceptor1x Sleep call for process: aaa.exe modified
                                                                                                        18:01:13AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                                                        18:01:14Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\AppData\Roaming\Opus.exe" s>$(Arg0)
                                                                                                        18:01:22Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
                                                                                                        18:01:22API Interceptor88x Sleep call for process: Opus.exe modified
                                                                                                        18:01:23AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run a797c6ca3f5e7aff8fa1149c47fe9466 "C:\Users\user\AppData\Roaming\mediaget.exe" ..
                                                                                                        18:01:39AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run a797c6ca3f5e7aff8fa1149c47fe9466 "C:\Users\user\AppData\Roaming\mediaget.exe" ..
                                                                                                        18:01:54AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe
                                                                                                        18:02:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run a797c6ca3f5e7aff8fa1149c47fe9466 "C:\Users\user\AppData\Roaming\mediaget.exe" ..
                                                                                                        18:02:48Task SchedulerRun new task: dwm path: "C:\Windows\System32\srvsvc\dwm.exe"
                                                                                                        18:02:51Task SchedulerRun new task: conhost path: "C:\Windows\System32\mssip32\conhost.exe"
                                                                                                        18:02:52Task SchedulerRun new task: RuntimeBroker path: "C:\Windows\System32\WindowsDefaultHeatProcessor\RuntimeBroker.exe"
                                                                                                        18:02:52Task SchedulerRun new task: services path: "C:\Users\Public\Documents\My Music\services.exe"
                                                                                                        18:02:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                        18:02:55Task SchedulerRun new task: 8f1c8b40c7be588389a8d382040b23bb path: "C:\Documents and Settings\Public\Desktop\8f1c8b40c7be588389a8d382040b23bb.exe"
                                                                                                        18:02:55Task SchedulerRun new task: explorer path: "C:\Windows\winhlp32\explorer.exe"
                                                                                                        18:02:55Task SchedulerRun new task: mediaget path: "C:\Windows\CbsTemp\mediaget.exe"
                                                                                                        18:03:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                                        18:03:12AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run dwm "C:\Windows\System32\srvsvc\dwm.exe"
                                                                                                        18:03:22AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker "C:\Windows\System32\WindowsDefaultHeatProcessor\RuntimeBroker.exe"

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        No context

                                                                                                        Domains

                                                                                                        No context

                                                                                                        ASNs

                                                                                                        No context

                                                                                                        JA3 Fingerprints

                                                                                                        No context

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\Opus.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):208384
                                                                                                        Entropy (8bit):7.449669736966968
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:cLV6Bta6dtJmakIM5zEN/wjwJsvle+o9f/N:cLV6Btpmk1Elepd
                                                                                                        MD5:759185EE3724D7563B709C888C696959
                                                                                                        SHA1:7C166CC3CBFEF08BB378BCF557B1F45396A22931
                                                                                                        SHA-256:9384798985672C356A8A41BF822443F8EB0D3747BFCA148CE814594C1A894641
                                                                                                        SHA-512:ED754357B1B995DE918AF21FECD9D1464BDEA6778F7AB450A34E3AAE22BA7EEBC02F2442AF13774ABFDF97954E419EC9E356B54506C7E3BF12E3B76EE882FA2C
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: ditekSHen
                                                                                                        • Rule: NanoCore, Description: unknown, Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 85%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................d........... ........@.. ......................................................................8...W.... ..$`........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...$`... ...b..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                                                                                        C:\ProgramData\kaosdma.txt

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):10
                                                                                                        Entropy (8bit):2.6464393446710157
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:HLLv:fv
                                                                                                        MD5:7AE4BED9A9648A53C3508D11671EF714
                                                                                                        SHA1:C349F54BAAA203AB3DC98498C49851C0704DD217
                                                                                                        SHA-256:C355B022F11CFAD7126BBD035784DAB1E94C3604D1528A130465E823C6EC1149
                                                                                                        SHA-512:7E3C40C668FAA94C9C1420B70405F41181BAE21F906C48164828E5427F66950483C4056E48C1FFF56634A5CDD943E5B1E40B8BEC798F4349E46263B21D7E1C6E
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview:84.17.52.7

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RIP_YOUR_PC_LOL.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):128
                                                                                                        Entropy (8bit):5.185983766127119
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:QHXMKaZImrnLCR2RAVIAQyz2QyDBLnDLFv:Q3LadLCR22IAQykdL1v
                                                                                                        MD5:1F5C279D069793BFDB15F6DAC63D5C39
                                                                                                        SHA1:EFA436296EE3BC196FFC4FBD48978A4A1BB6FD34
                                                                                                        SHA-256:007D94877B5C9048FDC238CF6E63516F2BF398588878947E1DC4A4E55553602D
                                                                                                        SHA-512:48270029CAB2C46093058BDB28795ECA137656C1B4EB9E1EFD2111EA42997B29312B7A0EBFD6EB411375F799754D2403C233D0FF6B65103AEFABDE68268ED747
                                                                                                        Malicious:true
                                                                                                        Reputation:unknown
                                                                                                        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aaa.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\aaa.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):525
                                                                                                        Entropy (8bit):5.2874233355119316
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                                                                                                        MD5:80EFBEC081D7836D240503C4C9465FEC
                                                                                                        SHA1:6AF398E08A359457083727BAF296445030A55AC3
                                                                                                        SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                                                                                                        SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\gay.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\gay.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):525
                                                                                                        Entropy (8bit):5.2874233355119316
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk7v:MLF20NaL3z2p29hJ5g522r0
                                                                                                        MD5:80EFBEC081D7836D240503C4C9465FEC
                                                                                                        SHA1:6AF398E08A359457083727BAF296445030A55AC3
                                                                                                        SHA-256:C73F730EB5E05D15FAD6BE10AB51FE4D8A80B5E88B89D8BC80CC1DF09ACE1523
                                                                                                        SHA-512:DEC3B1D9403894418AFD4433629CA6476C7BD359963328D17B93283B52EEC18B3725D2F02F0E9A142E705398DDDCE244D53829570E9DE1A87060A7DABFDCE5B3
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\healastounding.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):128
                                                                                                        Entropy (8bit):5.185983766127119
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:QHXMKaZImrnLCR2RAVIAQyz2QyDBLnDLFv:Q3LadLCR22IAQykdL1v
                                                                                                        MD5:1F5C279D069793BFDB15F6DAC63D5C39
                                                                                                        SHA1:EFA436296EE3BC196FFC4FBD48978A4A1BB6FD34
                                                                                                        SHA-256:007D94877B5C9048FDC238CF6E63516F2BF398588878947E1DC4A4E55553602D
                                                                                                        SHA-512:48270029CAB2C46093058BDB28795ECA137656C1B4EB9E1EFD2111EA42997B29312B7A0EBFD6EB411375F799754D2403C233D0FF6B65103AEFABDE68268ED747
                                                                                                        Malicious:true
                                                                                                        Reputation:unknown
                                                                                                        Preview:1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..

                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\5JOCE52U.txt

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):10
                                                                                                        Entropy (8bit):2.6464393446710157
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:HLLv:fv
                                                                                                        MD5:7AE4BED9A9648A53C3508D11671EF714
                                                                                                        SHA1:C349F54BAAA203AB3DC98498C49851C0704DD217
                                                                                                        SHA-256:C355B022F11CFAD7126BBD035784DAB1E94C3604D1528A130465E823C6EC1149
                                                                                                        SHA-512:7E3C40C668FAA94C9C1420B70405F41181BAE21F906C48164828E5427F66950483C4056E48C1FFF56634A5CDD943E5B1E40B8BEC798F4349E46263B21D7E1C6E
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview:84.17.52.7

                                                                                                        C:\Users\user\AppData\Local\Temp\Dcvxaamev.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):335872
                                                                                                        Entropy (8bit):7.696824069546379
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:WLR0mFZcyJuOwhXdZkWwQ5eRI44axa7AP5Mb:8RHTJuOwhNZkWwQURI4xxa70ab
                                                                                                        MD5:870D6E5AEF6DEA98CED388CCE87BFBD4
                                                                                                        SHA1:2D7EEE096D38D3C2A8F12FCBA0A44B4C4DA33D54
                                                                                                        SHA-256:6D50833895B2E3EB9D6F879A6436660127C270B6A516CDA0253E56A3D8B7FBA0
                                                                                                        SHA-512:0D55AB28B2F80136AF121B870B7503551D87BBEB2848CF9A32540006CAC9A5E346D9FCCE2BF1223A22927F72A147B81487533A10B91373D4FA4429D6159FD566
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 29%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 86%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.a..................... .......Y............@..........................0.......F......................................T...P.... ..t...............................................................................d............................text............................... ..`.data...............................@....rsrc...t.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\FFDvbcrdfqs.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):290816
                                                                                                        Entropy (8bit):7.605066056188275
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:7S0BFZcouRlCLNkbI7u2KrMmCI44axa7AR5Mp:7SkZolCLybI7xI4xxa7Wap
                                                                                                        MD5:78D40B12FFC837843FBF4DE2164002F6
                                                                                                        SHA1:985BDFFA69BB915831CD6B81783AEF3AE4418F53
                                                                                                        SHA-256:308A15DABDC4CE6B96DD54954A351D304F1FCB59E8C93221BA1C412BCDFD1C44
                                                                                                        SHA-512:C6575E1771D37DED4089D963BEA95DEAC78B329ED555C991D7C559EE1970DD0887A965E88C09981529ADC9C25DF5CFD3D57E3DCE6724DA1F01F1198F0F460B79
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 29%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 86%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w>.a.................@... ...............P....@..................................I.......................................D..P....p..t...............................................................................d............................text....:.......@.................. ..`.data........P.......P..............@....rsrc...t....p.......`..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Local\Temp\tmp4896.tmp

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\Opus.exe
                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1305
                                                                                                        Entropy (8bit):5.090556205433367
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0V75xtn:cbk4oL600QydbQxIYODOLedq3K5j
                                                                                                        MD5:1211D31E3B2DF2F76E97FEF49A693566
                                                                                                        SHA1:47DA0FC84FEF52FE80D25341A9A2DC97117841F3
                                                                                                        SHA-256:8DD44C774959C9CA5E2557721C4C09ACCC5C5307F426D4A015AEF61A8410F45C
                                                                                                        SHA-512:05DE66143F4D1FCAE7BB927CF508AFD02DFA910D2D244D0EDD7545A9BF9F4B478C3B00D387C84495A14865BCF565D3A25201E6E61C85DE7DB37E4EA4938C1E49
                                                                                                        Malicious:true
                                                                                                        Reputation:unknown
                                                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                                                                                        C:\Users\user\AppData\Local\Temp\tmp5D87.tmp

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\Opus.exe
                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1310
                                                                                                        Entropy (8bit):5.109425792877704
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                                                        MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                                                        SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                                                        SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                                                        SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

                                                                                                        C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):549556
                                                                                                        Entropy (8bit):6.964847007042997
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:eKmlz464jAfhe5pUC1jAXBoFACBfz6JMW0rwrsu:oz4d/5iCj0BoNBb6Jh3
                                                                                                        MD5:0FD7DE5367376231A788872005D7ED4F
                                                                                                        SHA1:658E4D5EFB8B14661967BE2183CC60E3E561B2B6
                                                                                                        SHA-256:9083992637E90E412E6F4E77331EB69EE8DB821C54BBC38533E0F889CC4CA9DD
                                                                                                        SHA-512:522D5BE2803FBCE0D12C325CC2EF1E3A92CEC03AEBA7D1164530093AD58CAECD827DD557CA3C182A66C6667150E731DE37BB552D19425F96CC78FE3423E1A863
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 29%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .4.d.Z.d.Z.d.Z.z..u.Z.z....Z.z..S.Z.CC!.g.Z.d.[..Z.z..e.Z.z..e.Z.z..e.Z.Richd.Z.................PE..L....:._............................. ............@.................................d.......................................8Y..(....................*...8..........P................................O..@............................................text...0........................... ..`.rdata..............................@..@.data........p.......T..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\22.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):2101248
                                                                                                        Entropy (8bit):7.055994450169564
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:49152:XkSw2TRlsQ1k0+eDE/C9fLtGoDs9cXpJGy:0EHZ/rDjfLe9cy
                                                                                                        MD5:DBF9DAA1707B1037E28A6E0694B33A4B
                                                                                                        SHA1:DDC1FCEC1C25F2D97C372FFFA247969AA6CD35EF
                                                                                                        SHA-256:A604A3FF78644533FAC5EE9F198E9C5F2FA1AE2A5828186367A9E00935CFF6B6
                                                                                                        SHA-512:145B606FFD58554050FF8712DDB38C1C66DD5F33EA15FD48474E1C165B2C0348D2413E16C7AD07FF1C65CE71E2BE23E3758E6D48C4F2454D5407982119706BFD
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: MALWARE_Win_BlackMoon, Description: Detects executables using BlackMoon RunTime, Source: C:\Users\user\AppData\Roaming\22.exe, Author: ditekSHen
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 38%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 86%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I.U.I.U.I.U.U.U.I.U.F.U.I.U^U.U.I.U.o.U~I.U5V.U.I.U.F.U.I.U.I.U.K.U.o.U.I.U.I.U.I.U5V.U.I.URich.I.U................PE..L....{.].................@...................P....@..........................P".................................................@....@"..............................................................................................................text....4.......@.................. ..`.rdata..lP...P...`...P..............@..@.data...........P..................@....rsrc........@"....... .............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\3.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\4.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):577536
                                                                                                        Entropy (8bit):5.535850322343421
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:aWMT5dtGv3Kom+qn4e9PtlAc7+Q4hMY1FOhcV:bMT5Sw++4ilAZ1OhcV
                                                                                                        MD5:748A4BEA8C0624A4C7A69F67263E0839
                                                                                                        SHA1:6955B7D516DF38992AC6BFF9D0B0F5DF150DF859
                                                                                                        SHA-256:220D8F8FF82D413C81BD02DFA001E1C478E8FBEA44BAD24F21B3A5284E15632E
                                                                                                        SHA-512:5FCDFDDCE3CC2E636001ED08C5F2F7590AADAA37C091F7BA94E519D298E284362721F1859C6FFBF064AE23E05D4E0E9754B515396812FBE9F9028497396799FD
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: C:\Users\user\AppData\Roaming\3.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_DCRat, Description: DCRat payload, Source: C:\Users\user\AppData\Roaming\3.exe, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\3.exe, Author: ditekSHen
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 47%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 82%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a............................N.... ........@.. .......................@............@.....................................K....... .................... ....................................................... ............... ..H............text...T.... ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B................0.......H...........l............................................................*&.(......*J..(........(.....*"..}....*^..}.....(........}....*.0..{.............."5-...YE....5...1...N...N...5...+... ..+...".<+>..\5.../.,+...\.!++..{..+...}..+...+....+...+...+...+...+...+...+..*..0..#..............n..+...t..+....+....+...+..*..0..............R.....o....(........s.......8&.......o....(............9....+......+....;....8.........._,.....+......,.....XT.o......8i...........,..r...p..o..

                                                                                                        C:\Users\user\AppData\Roaming\4.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):579127
                                                                                                        Entropy (8bit):7.206124159305961
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:xzxzTDWikLSb4NS7IODX+KEe+gpSwcxRLe4:bDWHSb4Ngse+USTR64
                                                                                                        MD5:E6DACE3F577AC7A6F9747B4A0956C8D7
                                                                                                        SHA1:86C71169025B822A8DFBA679EA981035CE1ABFD1
                                                                                                        SHA-256:8B4B846FE1023FA173AB410E3A5862A4C09F16534E14926878E387092E7FFB63
                                                                                                        SHA-512:1C8554D3D9A1B1509BA1DF569EDE3FB7A081BEF84394C708C4F1A2FB8779F012C74FBF6DE085514E0C8DEBB5079CC23C6C6112B95BF2F0AB6A8F0BD156A3E268
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 17%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 75%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...+...._......._..'...._f.'...._..'...Rich&...........PE..L....).`.....................2...............0....@.......................................@.........................0...4...d...<....0...R......................|"......T............................U..@............0..`...... ....................text............................... ..`.rdata.."....0......................@..@.data...(7..........................@....didat....... ......................@....rsrc....R...0...T..................@..@.reloc..|".......$...&..............@..B................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1241088
                                                                                                        Entropy (8bit):7.769765528202914
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24576:mMyMzC8+ovorlBtugg0uHqJkSkSZI7C8JaYRHwOwhNGWwQ58Xaj8rac:mMHF+lxuPHYkSfI77aYRQOayac
                                                                                                        MD5:8F1C8B40C7BE588389A8D382040B23BB
                                                                                                        SHA1:BEF5209AE90A3BD3171E1E0BE4E8148C4CCD8A6A
                                                                                                        SHA-256:ED58FFEE46A583C177C792B56C9FC20CCD9509D125F2E3FC90C4F48DE7E2C2A1
                                                                                                        SHA-512:9192B6F2F8320A728C445F9CD6E6D66495AD0EBEBD7FF193DC09EE8AE57B3933C1B75DC208E7D638DB273CB9D31B4CA24EE7BFD9729FF0CDBF432D72BB322B1F
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        • Antivirus: Metadefender, Detection: 26%, Browse
                                                                                                        • Antivirus: ReversingLabs, Detection: 86%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.a..................... ......6(............@.................................k...........................................P.......t...............................................................................d............................text...P........................... ..`.data...............................@....rsrc...t...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\Opus.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):8
                                                                                                        Entropy (8bit):3.0
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:tiK:f
                                                                                                        MD5:A032CE284A49FD6CF341559395411B90
                                                                                                        SHA1:9A556CCC1AE76361E16EC13A4549BCEB79D6F383
                                                                                                        SHA-256:CE980B79958BE0B1DA2EFC904A80EFD8FA0B1E3607152100190A001AA399E1F5
                                                                                                        SHA-512:14D6696A4B21C6FBD461FED6F895E0FDAE6706F3DE897E4EE2E29EC9C90F129DE423F3D3476D6BABF4AE1EFAB365C92D697B1355A72CE308DBE2EED97F840E05
                                                                                                        Malicious:true
                                                                                                        Reputation:unknown
                                                                                                        Preview:!a:.p..H

                                                                                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\Opus.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):42
                                                                                                        Entropy (8bit):4.15091348260215
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:oNN+EaKC5fMN:oNN7aZ5fMN
                                                                                                        MD5:F00851831855D57C5FAB0A8B025C3ECE
                                                                                                        SHA1:B44A5459ED55DEF8D4F1283651C031B98BBD4F36
                                                                                                        SHA-256:A9CC872641CE9C8FA8134CB799FE95C76299F4202119B72F62129667DB38FC33
                                                                                                        SHA-512:4C9B0071735811D3E59E3E0115EECEF168AA3944D71F7C507AF3C046FA8234E020051E13DD5A2D0E4EE347A99263139697D8382AE1D465F9CED0A4315950D7AA
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview:C:\Users\user\AppData\Roaming\Opus.exe

                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):49
                                                                                                        Entropy (8bit):1.2701062923235522
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:/l1PL3n:fPL3
                                                                                                        MD5:CD8FA61AD2906643348EEF98A988B873
                                                                                                        SHA1:0B10E2F323B5C73F3A6EA348633B62AE522DDF39
                                                                                                        SHA-256:49A11A24821F2504B8C91BA9D8A6BD6F421ED2F0212C1C771BF1CAC9DE32AD75
                                                                                                        SHA-512:1E6F44AB3231232221CF0F4268E96A13C82E3F96249D7963B78805B693B52D3EBDABF873DB240813DF606D8C207BD2859338D67BA94F33ECBA43EA9A4FEFA086
                                                                                                        Malicious:false
                                                                                                        Reputation:unknown
                                                                                                        Preview:........................................user.

                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\mediaget.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):37888
                                                                                                        Entropy (8bit):5.575438262402469
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:384:HLWZcaCisD/WRdL5kyc/Ss4fzrngNsIhOrAF+rMRTyN/0L+EcoinblneHQM3epzN:iZcID5nc/Ss4HysIsrM+rMRa8NuM0t
                                                                                                        MD5:8EEDC01C11B251481DEC59E5308DCCC3
                                                                                                        SHA1:24BF069E9F2A1F12AEFA391674ED82059386B0AA
                                                                                                        SHA-256:0184983A425FEF55D46B7E0EB729A245730EE26414EBE4B155917C0124A19C2D
                                                                                                        SHA-512:52388313B21F14AA69C8B37E0FE0B73F66AA92F08651A16C820AAE65D341DC1AF6B48F3C8D4F657AC990EEAF4B9A01AE769BCA4D3625550011708697D22B69CC
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, Author: ditekSHen
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a797c6ca3f5e7aff8fa1149c47fe9466.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a................................ ........@.. ....................................@.....................................W.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                        C:\Users\user\AppData\Roaming\Opus.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):208384
                                                                                                        Entropy (8bit):7.449669736966968
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:6144:cLV6Bta6dtJmakIM5zEN/wjwJsvle+o9f/N:cLV6Btpmk1Elepd
                                                                                                        MD5:759185EE3724D7563B709C888C696959
                                                                                                        SHA1:7C166CC3CBFEF08BB378BCF557B1F45396A22931
                                                                                                        SHA-256:9384798985672C356A8A41BF822443F8EB0D3747BFCA148CE814594C1A894641
                                                                                                        SHA-512:ED754357B1B995DE918AF21FECD9D1464BDEA6778F7AB450A34E3AAE22BA7EEBC02F2442AF13774ABFDF97954E419EC9E356B54506C7E3BF12E3B76EE882FA2C
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Florian Roth
                                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: ditekSHen
                                                                                                        • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................d........... ........@.. ......................................................................8...W.... ..$`........................................................................... ............... ..H............text........ ...................... ..`.reloc..............................@..B.rsrc...$`... ...b..................@..@................t.......H...........T............................................................0..Q........o5.......*.o6....-.&......3+..+.... ....3......1..... 2.... ....3.... .......*.*....0..E.......s7....-(&s8....-&&s9....,$&s:........s;........*.....+.....+.....+.....0..........~....o<...*..0..........~....o=...*..0..........~....o>...*..0..........~....o?...*..0..........~....o@...*..0.............-.&(A...*&+...0..$.......~B........-.(...+.-.&+..B...+.~B...*.0.............-.&(A...*&+...0..

                                                                                                        C:\Users\user\AppData\Roaming\Pluto Panel.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):913920
                                                                                                        Entropy (8bit):7.376805169532317
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:ypEQtqB5urTIoYWBQk1E+VF9mOx9wi1T0hnbkOWAvyPx4+c/bUUCy:HQtqBorTlYWBhE+V3mO5vWgxE/nb
                                                                                                        MD5:ED666BF7F4A0766FCEC0E9C8074B089B
                                                                                                        SHA1:1B90F1A4CB6059D573FFF115B3598604825D76E6
                                                                                                        SHA-256:D1330D349BFBD3AEA545FA08EF63339E82A3F4D04E27216ECC4C45304F079264
                                                                                                        SHA-512:D0791EAA9859D751F946FD3252D2056C29328FC97E147A5234A52A3728588A3A1AAA003A8E32863D338EBDCA92305C48B6FA12CA1E620CF27460BF091C3B6D49
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Arnim Rupp
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: JPCERT/CC Incident Response Group
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C.a.....................4........... ........@.. ....................................@.....................................S.... ...2...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....2... ...2..................@..@.reloc.......`....... ..............@..B........................H.......0}..h..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......

                                                                                                        C:\Users\user\AppData\Roaming\___11.19.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):16322590
                                                                                                        Entropy (8bit):7.8569139750386485
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:393216:G7BPkdKzrZciLxv8naSNtPr5rn57M84UTB9xO5/VWvJKJPkwdnfZ:uBPQwxMR7pn5qUTB9xOFVWvJKJPkwdnB
                                                                                                        MD5:A071727B72A8374FF79A695ECDE32594
                                                                                                        SHA1:B2ABA60B3332D6B8F0A56CEA310CDC2BDB4F9FFC
                                                                                                        SHA-256:8ECDFE60EACB5BF647AE69BCBC41DD727EA3089E92B4B08EBCA3A8D162E50745
                                                                                                        SHA-512:854B93FB6B9BF0FE4CAEF5572935852CE8BECF2BC7BD41B192A4B3CEFB7854A2405C6C0C06BBDD4E1026FF9440EC753911DCC935FE68118E322614C1B918E400
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........H..u...u...u...~...u.......u.......u.C.{...u...y...u...f...u...f...u...t.`.u.C.(...u...~...u.(.~...u.(.....u...u...u...s...u.Rich..u.........PE..L.....ca............................5.............@.........................................................................xi.......................................................................................................................text............................... ..`.rdata.............................@..@.data....@....... ..................@....rsrc............ ..................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\a.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1484512
                                                                                                        Entropy (8bit):7.99205858382872
                                                                                                        Encrypted:true
                                                                                                        SSDEEP:24576:XsoFdKkWRoohlLUI9AMNo9p2mbfmqFycZm4lZD3Ya10Hue4MBSYcQkEaHNYK3Kyh:XrHW6ilLU1Eor3Fg4lBIM0Hue1BSYcQ4
                                                                                                        MD5:52CFD35F337CA837D31DF0A95CE2A55E
                                                                                                        SHA1:88EB919FA2761F739F02A025E4F9BF1FD340B6FF
                                                                                                        SHA-256:5975E737584DDF2601C02E5918A79DAD7531DF0E13DCA922F0525F66BEC4B448
                                                                                                        SHA-512:B584282F6F5396C3BBED7835BE67420AA14D11B9C42A88B0E3413A07A6164C22D6F50D845D05F48CB95D84FD9545D0B9E25E581324A08B3A95CED9F048D41D73
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O...............0.............. ... ........@.. ....................... <.. ..-A6.....................................|L7.........r........................................................................................................................ ......................@....rsrc.... ..........................@............ ..........................@............ ..........................@............ 5.. ...V..................@....uxD5Xzb.....@7.....................@....adata... ....<.....................@...........................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Users\user\AppData\Roaming\aaa.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):122880
                                                                                                        Entropy (8bit):7.206630188700291
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3072:zMJQH6NvccnsXOf4qhi01sXT0RZTF27rcAXIlWMhBN2/MTDM:zMxsU9i0iXT0RZo7Iwhec/MTD
                                                                                                        MD5:860AA57FC3578F7037BB27FC79B2A62C
                                                                                                        SHA1:A14008FE5E1EB88BF46266DE3D5EE5DB2E0A722B
                                                                                                        SHA-256:5430565C4534B482C7216A0AE75D04E201EE0DB0386682C0C010243083C28D29
                                                                                                        SHA-512:6639B3E2594E554C7FA811F22E1C514474D34220155B4C989AD8716DB1A0AEA65894AA23D78C12A4618C57312DA00353A77DD8E6C6BDD927BF865F2E98AFF8F1
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......S............................n.... ........@.. .......................@............@................................. ...K............................ ....................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................P.......H.......t................5..x............................................ .........%.....(......... t........%.....(.........*..V~....(....~....o....*....(....*R .l..q..(-........*....0..........~.........E........................-...~.... .... ....(...+..t....,... ......[.+..+......(....(!....t....('...........t..........(......u.... .... ....(...+(....~.... ....~.... .....~.... .....X.k_.*.*.....(....*.(....t....~....o@...()....f..(...+.....*....0..........(*....I.U(...+..

                                                                                                        C:\Users\user\AppData\Roaming\gay.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):37888
                                                                                                        Entropy (8bit):5.575438262402469
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:384:HLWZcaCisD/WRdL5kyc/Ss4fzrngNsIhOrAF+rMRTyN/0L+EcoinblneHQM3epzN:iZcID5nc/Ss4HysIsrM+rMRa8NuM0t
                                                                                                        MD5:8EEDC01C11B251481DEC59E5308DCCC3
                                                                                                        SHA1:24BF069E9F2A1F12AEFA391674ED82059386B0AA
                                                                                                        SHA-256:0184983A425FEF55D46B7E0EB729A245730EE26414EBE4B155917C0124A19C2D
                                                                                                        SHA-512:52388313B21F14AA69C8B37E0FE0B73F66AA92F08651A16C820AAE65D341DC1AF6B48F3C8D4F657AC990EEAF4B9A01AE769BCA4D3625550011708697D22B69CC
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\gay.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\gay.exe, Author: ditekSHen
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\gay.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a................................ ........@.. ....................................@.....................................W.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                        C:\Users\user\AppData\Roaming\healastounding.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):3733504
                                                                                                        Entropy (8bit):7.794569867865562
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:98304:pAdy2TU151ZIpH8YcItGTHF+iSfI77agdayaW/ej:gy5Ls8YcItWFXlWZVy
                                                                                                        MD5:6FB798F1090448CE26299C2B35ACF876
                                                                                                        SHA1:451423D5690CFFA02741D5DA6E7C45BC08AEFB55
                                                                                                        SHA-256:B4F86FF48C5F6B01E0AD4543FB78E0435E81F3EC2AACA89866862157C0DACF4F
                                                                                                        SHA-512:9CC2421A2F3AB01D15BE62A848947B03F1A8212CFD923573CF70F8C10BD8D124AEE3B251828834236AF291EA12450AC2580A712E53A022CE11B4D71B0357D8C3
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: ditekSHen
                                                                                                        • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..................8...........9.. ... 9...@.. .......................`9...........@...................................9.W.... 9......................@9...................................................... ............... ..H............text...4.8.. ....8................. ..`.rsrc........ 9.......8.............@..@.reloc.......@9.......8.............@..B..................9.....H.......@.9.............`!....8..........................................0..f.......r...pr#..p(....t.....r9..p(.......+..........i].a...X....i2..(....o....................(......(....&*...0..q.......(.......o......s......o.....+*.o....u....,..o....t.....(....,..o.......&.o....-....,..o........,..o.....s....z..*...........=R..........P^........8............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Res

                                                                                                        C:\Users\user\AppData\Roaming\mediaget.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\gay.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):37888
                                                                                                        Entropy (8bit):5.575438262402469
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:384:HLWZcaCisD/WRdL5kyc/Ss4fzrngNsIhOrAF+rMRTyN/0L+EcoinblneHQM3epzN:iZcID5nc/Ss4HysIsrM+rMRa8NuM0t
                                                                                                        MD5:8EEDC01C11B251481DEC59E5308DCCC3
                                                                                                        SHA1:24BF069E9F2A1F12AEFA391674ED82059386B0AA
                                                                                                        SHA-256:0184983A425FEF55D46B7E0EB729A245730EE26414EBE4B155917C0124A19C2D
                                                                                                        SHA-512:52388313B21F14AA69C8B37E0FE0B73F66AA92F08651A16C820AAE65D341DC1AF6B48F3C8D4F657AC990EEAF4B9A01AE769BCA4D3625550011708697D22B69CC
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\mediaget.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\mediaget.exe, Author: ditekSHen
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\mediaget.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a................................ ........@.. ....................................@.....................................W.......@............................................................................ ............... ..H............text....... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H........e...E..........................................................&.(......**..(......*.s.........s.........s.........s..........*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0...........~....o.....+..*.0.............(....(.....+..*...0............(.....+..*.0................(.....+..*.0............(.....+..*.0.. ...................,.(...+.+.+....+...*.0...........................**..(......*....0..&........~..............,.(...+.

                                                                                                        C:\Users\user\AppData\Roaming\test.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):46080
                                                                                                        Entropy (8bit):5.459376005695359
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:768:EuwCNToEjaNLWU3zKZmo2q7C8V1vBTcPI1zjbkgX3ir64oRfdwQfybTWVABDZTx:EuwCNToqaS2z8VnTh13brXSr64oZSbZH
                                                                                                        MD5:7E50B292982932190179245C60C0B59B
                                                                                                        SHA1:25CF641DDCDC818F32837DB236A58060426B5571
                                                                                                        SHA-256:A8DDE4E60DB080DFC397D7E312E7E9F18D9C08D6088E8043FEEAE9AB32ABDBB8
                                                                                                        SHA-512:C6D422D9FB115E1B6B085285B1D3CA46ED541E390895D702710E82A336F4DE6CC5C9183F8E6EBE35475FCCE6DEF8CC5FFA8EE4A61B38D7E80A9F40789688B885
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\test.exe, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\test.exe, Author: ditekSHen
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^............................N.... ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................0.......H........Y...m.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*Vr.%.p~....(o....#...*.s...

                                                                                                        C:\Windows\Cursors\WUDFhosts.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\22.exe
                                                                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):806912
                                                                                                        Entropy (8bit):7.921653477744872
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24576:f7hffPYBJUtGpCXX3dquvU9ckRvYLpZjQaYM8l:NfLtGoDs9cXpJG
                                                                                                        MD5:4A72E30C0A582B082030ADFD8345014F
                                                                                                        SHA1:2F92CCF13F8DFC7EEFF49903A0D1EA8DD97A7353
                                                                                                        SHA-256:E1315C41F50A75C308CDB023F7E48C0AA62931D5771AD8BC4220018ED5D7F976
                                                                                                        SHA-512:8A75925B0695284105856823190531DC4CFCF32A8AE3226EF8C1F796185AA01F8C085B6457A63B1CF81842DA2C6BAAFD4CABF7565A8D96D3460054439BBFB798
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................E[Z....E[X.D..E[Y....ogl..................b......,8`..........b...'..b......b.T......<....b......Rich...........................PE..d...5..].........."...... ...0....K...W...K....@..............................X...........`...................................................W.......W..+....U...............W.............................`.W.(.....W.............................................UPX0......K.............................UPX1..... ....K.....................@....rsrc....0....W......"..............@......................................................................................................................................................................................................................................................................................................................3.93.UPX!.$..

                                                                                                        C:\Windows\Help\Winlogon.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\22.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):76248
                                                                                                        Entropy (8bit):6.357076953831382
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:1536:WH8tImFvh/tAoX/V1d/Xc81qsWjcdTxekxemB:WH8imz/H111TxfAmB
                                                                                                        MD5:A8DDACE9435FE395325FC45DDE8BD0A3
                                                                                                        SHA1:DCF9BAAA9E3A27450DEBF4F35112376ED005C800
                                                                                                        SHA-256:6E81D7C71B3E8D731E11AD75D3DAC02A4210C9F90FAC618AF5C00CBCE3718658
                                                                                                        SHA-512:2C6006E42ECF31DA02A4584E69C0E55390BE5A405353307582852728B2CEB65033F3F5CD0B6465B3A1541D19EAB95C61B394E3403DEE558196C2F2969D82B196
                                                                                                        Malicious:true
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<O..<O..<O..1..$O..1..3O..1..ZO..A6.?O..57..>O..<O..pO..A6..=O..1..=O..<O..=O..A6.=O..Rich<O..................PE..L...K..Y..........................................@..........................P............@.....................................<....0..`....................@..l...@...8...............................@............................................text............................... ..`.rdata..tF.......H..................@..@.data....0..........................@....rsrc...`....0......................@..@.reloc..l....@......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\Windows\Help\active_desktop_render.dll

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\AppData\Roaming\22.exe
                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):995328
                                                                                                        Entropy (8bit):6.19848257170581
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:12288:BT8s5nv9sQ1ViVNEPazI+eGGhFqxVOa+28WXvC:BT8MnlsQ1kVqPv+eDhGwdIvC
                                                                                                        MD5:07A36097730666FE9E5434D85A5AB989
                                                                                                        SHA1:780CA47C15932ED1F9640C17B9BB340410A52338
                                                                                                        SHA-256:1FB4CEE4D83D424E0BFCBFD97169EF717B3EBDCC5D01BA7C7C547AE606AD5C3C
                                                                                                        SHA-512:4A08080471C660856AF724E4480EC721C22C462346E293D93E2F9577E6D669C6B51CD81EF96DFAD943C791DFD7F7F0C2D5234A82D81CE5F1C01BB493CDA34085
                                                                                                        Malicious:true
                                                                                                        Yara Hits:
                                                                                                        • Rule: MALWARE_Win_BlackMoon, Description: Detects executables using BlackMoon RunTime, Source: C:\Windows\Help\active_desktop_render.dll, Author: ditekSHen
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Reputation:unknown
                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................. ......`............ .....................................Rich...................PE..L...Kw.]...........!.....@...........m.......P......................................................................p........y.......0.. ....................@.......................................................P..t............................text...J:.......@.................. ..`.rdata...=...P...@...P..............@..@.data............P..................@....rsrc... ....0......................@..@.reloc...3...@...@..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Entropy (8bit):7.788951719729708
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.63%
                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.58%
                                                                                                        • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.41%
                                                                                                        • InstallShield setup (43055/19) 0.21%
                                                                                                        • UPX compressed Win32 Executable (30571/9) 0.15%
                                                                                                        File name:RIP_YOUR_PC_LOL.exe
                                                                                                        File size:23633920
                                                                                                        MD5:52867174362410d63215d78e708103ea
                                                                                                        SHA1:7ae4e1048e4463a4201bdeaf224c5b6face681bf
                                                                                                        SHA256:37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
                                                                                                        SHA512:89e17e147d3f073e479e85d0b0321f6264bbc2aa84c930ed645e8f5cde3f1e58812c3db1ba0f10bee6ce7ac0731e1e3de6747a9b3c4d63a564dd8d904bd726ab
                                                                                                        SSDEEP:393216:HJLgf7BPkdKzrZciLxv8naSNtPr5rn57M84UTB9xO5/VWvJKJPkwdnfZ4y5SDkFV:poBPQwxMR7pn5qUTB9xOFVWvJKJPkwd9
                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e..a..................h...........h.. ....h...@.. ........................i...........@................................

                                                                                                        File Icon

                                                                                                        Icon Hash:00828e8e8686b000

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0x1a8b4ae
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:false
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                        Time Stamp:0x61B51365 [Sat Dec 11 21:08:53 2021 UTC]
                                                                                                        TLS Callbacks:
                                                                                                        CLR (.Net) Version:v2.0.50727
                                                                                                        OS Version Major:4
                                                                                                        OS Version Minor:0
                                                                                                        File Version Major:4
                                                                                                        File Version Minor:0
                                                                                                        Subsystem Version Major:4
                                                                                                        Subsystem Version Minor:0
                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        jmp dword ptr [00402000h]
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x168b4540x57.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x168c0000x598.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x168e0000xc.reloc
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x20000x16894b40x1689600unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                        .rsrc0x168c0000x5980x600False0.421223958333data4.08611300158IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .reloc0x168e0000xc0x200False0.044921875data0.118369631259IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                        RT_VERSION0x168c0a00x304data
                                                                                                        RT_MANIFEST0x168c3a80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        mscoree.dll_CorExeMain

                                                                                                        Version Infos

                                                                                                        DescriptionData
                                                                                                        Translation0x0000 0x04b0
                                                                                                        LegalCopyrightemerge brutal
                                                                                                        Assembly Version14.5.48.86
                                                                                                        InternalNamefoampounding.exe
                                                                                                        FileVersion14.5.48.86
                                                                                                        CompanyNamebrawler
                                                                                                        ProductNameopen
                                                                                                        ProductVersion14.5.48.86
                                                                                                        FileDescriptionearfalserust
                                                                                                        OriginalFilenamefoampounding.exe

                                                                                                        Network Behavior

                                                                                                        Snort IDS Alerts

                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                        03/08/22-18:01:02.530765UDP254DNS SPOOF query response with TTL of 1 min. and no authority53517488.8.8.8192.168.2.6
                                                                                                        03/08/22-18:01:29.841168UDP254DNS SPOOF query response with TTL of 1 min. and no authority53496958.8.8.8192.168.2.6
                                                                                                        03/08/22-18:01:52.276662UDP254DNS SPOOF query response with TTL of 1 min. and no authority53616078.8.8.8192.168.2.6
                                                                                                        03/08/22-18:02:29.169253UDP254DNS SPOOF query response with TTL of 1 min. and no authority53528588.8.8.8192.168.2.6
                                                                                                        03/08/22-18:02:48.436398UDP254DNS SPOOF query response with TTL of 1 min. and no authority53598718.8.8.8192.168.2.6
                                                                                                        03/08/22-18:02:48.491531UDP254DNS SPOOF query response with TTL of 1 min. and no authority53500298.8.8.8192.168.2.6
                                                                                                        03/08/22-18:02:48.738596UDP254DNS SPOOF query response with TTL of 1 min. and no authority53511948.8.8.8192.168.2.6
                                                                                                        03/08/22-18:02:53.688495UDP254DNS SPOOF query response with TTL of 1 min. and no authority53500818.8.8.8192.168.2.6
                                                                                                        03/08/22-18:02:56.227160UDP254DNS SPOOF query response with TTL of 1 min. and no authority53550838.8.8.8192.168.2.6
                                                                                                        03/08/22-18:02:58.743158UDP254DNS SPOOF query response with TTL of 1 min. and no authority53591068.8.8.8192.168.2.6
                                                                                                        03/08/22-18:03:09.787643UDP254DNS SPOOF query response with TTL of 1 min. and no authority53611528.8.8.8192.168.2.6
                                                                                                        03/08/22-18:03:11.689559UDP254DNS SPOOF query response with TTL of 1 min. and no authority53496798.8.8.8192.168.2.6
                                                                                                        03/08/22-18:03:22.042737UDP254DNS SPOOF query response with TTL of 1 min. and no authority53522258.8.8.8192.168.2.6

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Mar 8, 2022 18:01:02.549043894 CET497688050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:01:05.605629921 CET497688050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:01:11.606240988 CET497688050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:01:21.307589054 CET4977080192.168.2.652.20.78.240
                                                                                                        Mar 8, 2022 18:01:21.448190928 CET804977052.20.78.240192.168.2.6
                                                                                                        Mar 8, 2022 18:01:21.448342085 CET4977080192.168.2.652.20.78.240
                                                                                                        Mar 8, 2022 18:01:21.456914902 CET4977080192.168.2.652.20.78.240
                                                                                                        Mar 8, 2022 18:01:21.596329927 CET804977052.20.78.240192.168.2.6
                                                                                                        Mar 8, 2022 18:01:21.597302914 CET804977052.20.78.240192.168.2.6
                                                                                                        Mar 8, 2022 18:01:21.597403049 CET4977080192.168.2.652.20.78.240
                                                                                                        Mar 8, 2022 18:01:22.363976955 CET4977180192.168.2.680.87.192.115
                                                                                                        Mar 8, 2022 18:01:22.423902035 CET804977180.87.192.115192.168.2.6
                                                                                                        Mar 8, 2022 18:01:22.424120903 CET4977180192.168.2.680.87.192.115
                                                                                                        Mar 8, 2022 18:01:29.900438070 CET497728050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:01:32.904844999 CET497728050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:01:38.999099016 CET497728050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:01:50.012576103 CET4977358491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:01:50.126136065 CET5849149773172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:01:50.812603951 CET4977358491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:01:50.926179886 CET5849149773172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:01:51.429456949 CET4977358491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:01:51.544755936 CET5849149773172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:01:52.529678106 CET497741470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:01:55.610013008 CET497741470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:01:56.268575907 CET497758050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:01:59.313349009 CET497758050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:02:01.610399961 CET497741470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:02:05.313823938 CET497758050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:02:05.928004980 CET4977658491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:02:06.042727947 CET5849149776172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:02:06.642051935 CET4977658491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:02:06.756652117 CET5849149776172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:02:07.345288038 CET4977658491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:02:07.460087061 CET5849149776172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:02:21.598696947 CET804977052.20.78.240192.168.2.6
                                                                                                        Mar 8, 2022 18:02:21.623155117 CET4977080192.168.2.652.20.78.240
                                                                                                        Mar 8, 2022 18:02:22.540772915 CET804977180.87.192.115192.168.2.6
                                                                                                        Mar 8, 2022 18:02:22.544246912 CET4977180192.168.2.680.87.192.115
                                                                                                        Mar 8, 2022 18:02:29.260555983 CET497778050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:02:32.348848104 CET497778050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:02:38.443535089 CET497778050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:02:41.668142080 CET4977858491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:02:41.783175945 CET5849149778172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:02:42.302769899 CET4977858491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:02:42.417251110 CET5849149778172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:02:43.115386009 CET4977858491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:02:43.230278015 CET5849149778172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:02:48.515594006 CET497801470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:02:51.537960052 CET497801470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:02:55.695036888 CET497938050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:02:57.647829056 CET497801470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:02:58.804176092 CET497938050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:03:02.885044098 CET4980458491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:02.999629974 CET5849149804172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:03.617047071 CET4980458491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:03.731703043 CET5849149804172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:04.304689884 CET4980458491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:04.419482946 CET5849149804172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:04.804677963 CET497938050192.168.2.6179.13.1.253
                                                                                                        Mar 8, 2022 18:03:08.456417084 CET4981558491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:08.571064949 CET5849149815172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:09.117554903 CET4981558491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:09.232285976 CET5849149815172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:09.806243896 CET4981558491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:09.920924902 CET5849149815172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:10.235430956 CET4977080192.168.2.652.20.78.240
                                                                                                        Mar 8, 2022 18:03:10.375109911 CET804977052.20.78.240192.168.2.6
                                                                                                        Mar 8, 2022 18:03:11.695297003 CET498201470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:03:13.931397915 CET4982558491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:14.047744036 CET5849149825172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:14.618395090 CET4982558491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:14.733145952 CET5849149825172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:14.805542946 CET498201470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:03:15.306822062 CET4982558491192.168.2.6172.98.92.42
                                                                                                        Mar 8, 2022 18:03:15.421253920 CET5849149825172.98.92.42192.168.2.6
                                                                                                        Mar 8, 2022 18:03:20.806010008 CET498201470192.168.2.641.249.51.34
                                                                                                        Mar 8, 2022 18:03:22.143265009 CET498388050192.168.2.6179.13.1.253

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Mar 8, 2022 18:00:25.222332954 CET5659153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:01:02.421529055 CET5174853192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:01:02.530765057 CET53517488.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:01:21.131813049 CET5095853192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:01:21.159094095 CET53509588.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:01:29.731457949 CET4969553192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:01:29.841167927 CET53496958.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:01:52.253196955 CET6160753192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:01:52.276662111 CET53616078.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:01:56.196608067 CET5655053192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:01:56.216669083 CET53565508.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:29.062084913 CET5285853192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:29.169253111 CET53528588.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:48.149482012 CET5002953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:48.414717913 CET5987153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:48.427118063 CET5119453192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:48.436398029 CET53598718.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:48.491530895 CET53500298.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:48.514926910 CET5166653192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:48.538808107 CET53516668.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:48.738595963 CET53511948.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:49.711517096 CET5703753192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:49.731496096 CET53570378.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:50.793032885 CET6060953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:50.815732956 CET53606098.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:50.939651012 CET5452953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:50.959239960 CET53545298.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:51.056174994 CET6264353192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:51.073822021 CET53626438.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:52.364578009 CET5401553192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:52.455807924 CET53540158.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:52.476210117 CET5208953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:52.546967030 CET53520898.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:52.577049971 CET5448953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:52.664900064 CET53544898.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:52.879266024 CET5269853192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:52.967892885 CET53526988.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:53.016813040 CET5382953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:53.099018097 CET53538298.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:53.111742973 CET6190153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:53.208043098 CET53619018.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:53.250925064 CET5868953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:53.341078997 CET53586898.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:53.351939917 CET5008153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:53.688494921 CET53500818.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:54.809392929 CET4952053192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:54.902901888 CET6552653192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:55.664746046 CET5304953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:55.684472084 CET53530498.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:55.762953997 CET5296553192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:55.834017038 CET53529658.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:55.837884903 CET5212553192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:55.930027962 CET5508353192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:55.939817905 CET53521258.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:56.227159977 CET53550838.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:56.465817928 CET5836053192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:56.485572100 CET53583608.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:56.742223978 CET5607153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:57.091926098 CET53560718.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:02:58.431301117 CET5910653192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:02:58.743158102 CET53591068.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:00.852693081 CET6111353192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:00.870723009 CET53611138.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:03.026786089 CET6065853192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:03.046681881 CET53606588.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:05.181277037 CET6023853192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:05.199376106 CET53602388.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:07.321696043 CET6536753192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:07.343290091 CET53653678.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:09.462516069 CET6115253192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:09.787642956 CET53611528.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:11.455007076 CET6454453192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:11.490103006 CET53645448.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:11.667885065 CET4967953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:11.689558983 CET53496798.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:11.855283022 CET6036153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:11.875169992 CET53603618.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:13.742429972 CET6377153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:13.761302948 CET53637718.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:13.962951899 CET6457953192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:13.984797001 CET53645798.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:16.135138988 CET5880153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:16.157701969 CET53588018.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:18.356760979 CET6157153192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:18.376470089 CET53615718.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:20.463649035 CET4946353192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:20.481589079 CET53494638.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:21.935733080 CET5222553192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:22.042737007 CET53522258.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:23.130189896 CET5534253192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:23.148067951 CET53553428.8.8.8192.168.2.6
                                                                                                        Mar 8, 2022 18:03:23.273044109 CET4975453192.168.2.68.8.8.8
                                                                                                        Mar 8, 2022 18:03:23.588294983 CET53497548.8.8.8192.168.2.6

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                        Mar 8, 2022 18:00:25.222332954 CET192.168.2.68.8.8.80x72edStandard query (0)store-images.s-microsoft.comA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:02.421529055 CET192.168.2.68.8.8.80xf287Standard query (0)gfhhjgh.duckdns.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:21.131813049 CET192.168.2.68.8.8.80x6641Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:29.731457949 CET192.168.2.68.8.8.80xd006Standard query (0)gfhhjgh.duckdns.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:52.253196955 CET192.168.2.68.8.8.80xa2dStandard query (0)kazya1.hopto.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:56.196608067 CET192.168.2.68.8.8.80xf35bStandard query (0)gfhhjgh.duckdns.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:29.062084913 CET192.168.2.68.8.8.80xb207Standard query (0)gfhhjgh.duckdns.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.149482012 CET192.168.2.68.8.8.80x541dStandard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.414717913 CET192.168.2.68.8.8.80x771cStandard query (0)kazya1.hopto.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.427118063 CET192.168.2.68.8.8.80x1458Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.514926910 CET192.168.2.68.8.8.80x249fStandard query (0)yabynennet.xyzA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:49.711517096 CET192.168.2.68.8.8.80x1de0Standard query (0)123.105.12.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:50.793032885 CET192.168.2.68.8.8.80x2cStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:50.939651012 CET192.168.2.68.8.8.80x1b81Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:51.056174994 CET192.168.2.68.8.8.80xa95eStandard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.364578009 CET192.168.2.68.8.8.80x658bStandard query (0)prepepe.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.476210117 CET192.168.2.68.8.8.80xb173Standard query (0)prepepe.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.577049971 CET192.168.2.68.8.8.80xc570Standard query (0)prepepe.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.879266024 CET192.168.2.68.8.8.80x28dfStandard query (0)prepepe.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.016813040 CET192.168.2.68.8.8.80x7f0cStandard query (0)prepepe.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.111742973 CET192.168.2.68.8.8.80x73f9Standard query (0)prepepe.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.250925064 CET192.168.2.68.8.8.80x59e3Standard query (0)prepepe.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.351939917 CET192.168.2.68.8.8.80x1e6Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:54.809392929 CET192.168.2.68.8.8.80x5dd4Standard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:54.902901888 CET192.168.2.68.8.8.80x4a0cStandard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.664746046 CET192.168.2.68.8.8.80xd501Standard query (0)gfhhjgh.duckdns.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.762953997 CET192.168.2.68.8.8.80x259dStandard query (0)pretorian.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.837884903 CET192.168.2.68.8.8.80x66daStandard query (0)pretorian.ac.ugA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.930027962 CET192.168.2.68.8.8.80x349dStandard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:56.465817928 CET192.168.2.68.8.8.80xa4a5Standard query (0)22ssh.comA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:56.742223978 CET192.168.2.68.8.8.80xeaaStandard query (0)pool.usa-138.comA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:58.431301117 CET192.168.2.68.8.8.80x8329Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:00.852693081 CET192.168.2.68.8.8.80x4b12Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:03.026786089 CET192.168.2.68.8.8.80x131bStandard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:05.181277037 CET192.168.2.68.8.8.80xff00Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:07.321696043 CET192.168.2.68.8.8.80xd5e2Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:09.462516069 CET192.168.2.68.8.8.80x8118Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:11.455007076 CET192.168.2.68.8.8.80x9cb7Standard query (0)files.000webhost.comA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:11.667885065 CET192.168.2.68.8.8.80x6983Standard query (0)kazya1.hopto.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:11.855283022 CET192.168.2.68.8.8.80x9062Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:13.742429972 CET192.168.2.68.8.8.80x204bStandard query (0)22ssh.comA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:13.962951899 CET192.168.2.68.8.8.80xd1b5Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:16.135138988 CET192.168.2.68.8.8.80xcac2Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:18.356760979 CET192.168.2.68.8.8.80x9ffStandard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:20.463649035 CET192.168.2.68.8.8.80xa314Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:21.935733080 CET192.168.2.68.8.8.80x52d3Standard query (0)gfhhjgh.duckdns.orgA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:23.130189896 CET192.168.2.68.8.8.80xecc7Standard query (0)hackerinvasion.f3322.netA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:23.273044109 CET192.168.2.68.8.8.80xc444Standard query (0)pool.usa-138.comA (IP address)IN (0x0001)

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                        Mar 8, 2022 18:00:25.247078896 CET8.8.8.8192.168.2.60x72edNo error (0)store-images.s-microsoft.comstore-images.s-microsoft.com-c.edgekey.netCNAME (Canonical name)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:02.530765057 CET8.8.8.8192.168.2.60xf287No error (0)gfhhjgh.duckdns.org179.13.1.253A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:21.159094095 CET8.8.8.8192.168.2.60x6641No error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:21.159094095 CET8.8.8.8192.168.2.60x6641No error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:21.159094095 CET8.8.8.8192.168.2.60x6641No error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:21.159094095 CET8.8.8.8192.168.2.60x6641No error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:21.159094095 CET8.8.8.8192.168.2.60x6641No error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:29.841167927 CET8.8.8.8192.168.2.60xd006No error (0)gfhhjgh.duckdns.org179.13.1.253A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:52.276662111 CET8.8.8.8192.168.2.60xa2dNo error (0)kazya1.hopto.org41.249.51.34A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:01:56.216669083 CET8.8.8.8192.168.2.60xf35bNo error (0)gfhhjgh.duckdns.org179.13.1.253A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:29.169253111 CET8.8.8.8192.168.2.60xb207No error (0)gfhhjgh.duckdns.org179.13.1.253A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.436398029 CET8.8.8.8192.168.2.60x771cNo error (0)kazya1.hopto.org41.249.51.34A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.491530895 CET8.8.8.8192.168.2.60x541dNo error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.538808107 CET8.8.8.8192.168.2.60x249fNo error (0)yabynennet.xyz45.129.99.212A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:48.738595963 CET8.8.8.8192.168.2.60x1458No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:49.731496096 CET8.8.8.8192.168.2.60x1de0Name error (3)123.105.12.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:50.815732956 CET8.8.8.8192.168.2.60x2cNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:50.815732956 CET8.8.8.8192.168.2.60x2cNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:50.959239960 CET8.8.8.8192.168.2.60x1b81No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:50.959239960 CET8.8.8.8192.168.2.60x1b81No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:51.073822021 CET8.8.8.8192.168.2.60xa95eNo error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.455807924 CET8.8.8.8192.168.2.60x658bServer failure (2)prepepe.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.546967030 CET8.8.8.8192.168.2.60xb173Server failure (2)prepepe.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.664900064 CET8.8.8.8192.168.2.60xc570Server failure (2)prepepe.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:52.967892885 CET8.8.8.8192.168.2.60x28dfServer failure (2)prepepe.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.099018097 CET8.8.8.8192.168.2.60x7f0cServer failure (2)prepepe.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.208043098 CET8.8.8.8192.168.2.60x73f9Server failure (2)prepepe.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.341078997 CET8.8.8.8192.168.2.60x59e3Server failure (2)prepepe.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:53.688494921 CET8.8.8.8192.168.2.60x1e6No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:54.832865000 CET8.8.8.8192.168.2.60x5dd4No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:54.924410105 CET8.8.8.8192.168.2.60x4a0cNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.684472084 CET8.8.8.8192.168.2.60xd501No error (0)gfhhjgh.duckdns.org179.13.1.253A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.834017038 CET8.8.8.8192.168.2.60x259dServer failure (2)pretorian.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.903019905 CET8.8.8.8192.168.2.60x3236No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:55.939817905 CET8.8.8.8192.168.2.60x66daServer failure (2)pretorian.ac.ugnonenoneA (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:56.227159977 CET8.8.8.8192.168.2.60x349dNo error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:57.091926098 CET8.8.8.8192.168.2.60xeaaNo error (0)pool.usa-138.com220.86.85.75A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:02:58.743158102 CET8.8.8.8192.168.2.60x8329No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:00.870723009 CET8.8.8.8192.168.2.60x4b12No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:03.046681881 CET8.8.8.8192.168.2.60x131bNo error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:05.199376106 CET8.8.8.8192.168.2.60xff00No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:07.343290091 CET8.8.8.8192.168.2.60xd5e2No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:09.787642956 CET8.8.8.8192.168.2.60x8118No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:11.490103006 CET8.8.8.8192.168.2.60x9cb7No error (0)files.000webhost.comus-east-1.route-1000.000webhost.awex.ioCNAME (Canonical name)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:11.490103006 CET8.8.8.8192.168.2.60x9cb7No error (0)us-east-1.route-1000.000webhost.awex.io145.14.144.149A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:11.689558983 CET8.8.8.8192.168.2.60x6983No error (0)kazya1.hopto.org41.249.51.34A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:11.875169992 CET8.8.8.8192.168.2.60x9062No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:13.984797001 CET8.8.8.8192.168.2.60xd1b5No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:16.157701969 CET8.8.8.8192.168.2.60xcac2No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:18.376470089 CET8.8.8.8192.168.2.60x9ffNo error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:20.481589079 CET8.8.8.8192.168.2.60xa314No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:22.042737007 CET8.8.8.8192.168.2.60x52d3No error (0)gfhhjgh.duckdns.org179.13.1.253A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:23.148067951 CET8.8.8.8192.168.2.60xecc7No error (0)hackerinvasion.f3322.net127.0.0.1A (IP address)IN (0x0001)
                                                                                                        Mar 8, 2022 18:03:23.588294983 CET8.8.8.8192.168.2.60xc444No error (0)pool.usa-138.com220.86.85.75A (IP address)IN (0x0001)

                                                                                                        HTTP Request Dependency Graph

                                                                                                        • api.ipify.org

                                                                                                        HTTP Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                        0192.168.2.64977052.20.78.24080C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                        Mar 8, 2022 18:01:21.456914902 CET1230OUTGET /?format=xml HTTP/1.1
                                                                                                        Accept: */*
                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                        Host: api.ipify.org
                                                                                                        Connection: Keep-Alive
                                                                                                        Mar 8, 2022 18:01:21.597302914 CET1230INHTTP/1.1 200 OK
                                                                                                        Server: Cowboy
                                                                                                        Connection: keep-alive
                                                                                                        Content-Type: text/plain
                                                                                                        Vary: Origin
                                                                                                        Date: Tue, 08 Mar 2022 17:01:21 GMT
                                                                                                        Content-Length: 10
                                                                                                        Via: 1.1 vegur
                                                                                                        Data Raw: 38 34 2e 31 37 2e 35 32 2e 37
                                                                                                        Data Ascii: 84.17.52.7


                                                                                                        Statistics

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        General

                                                                                                        Target ID:0
                                                                                                        Start time:18:00:31
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\RIP_YOUR_PC_LOL.exe"
                                                                                                        Imagebase:0x9f0000
                                                                                                        File size:23633920 bytes
                                                                                                        MD5 hash:52867174362410D63215D78E708103EA
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000003.388952115.00000000059C7000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.374606826.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.693319449.0000000001F6B000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000000.366341482.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.502131214.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000003.386628983.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000000.371829021.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000003.437188672.00000000056F5000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000001.375725825.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.679442760.0000000001893000.00000002.00000001.01000000.00000003.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:4
                                                                                                        Start time:18:00:38
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\healastounding.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\healastounding.exe"
                                                                                                        Imagebase:0x900000
                                                                                                        File size:3733504 bytes
                                                                                                        MD5 hash:6FB798F1090448CE26299C2B35ACF876
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.385235005.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000002.538356356.0000000003471000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000002.463698979.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                        • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.546334194.0000000004474000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.381351381.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.382829254.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000004.00000000.383946223.0000000000902000.00000002.00000001.01000000.00000005.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: ditekSHen
                                                                                                        • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\healastounding.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:5
                                                                                                        Start time:18:00:43
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\Pluto Panel.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\Pluto Panel.exe"
                                                                                                        Imagebase:0xf10000
                                                                                                        File size:913920 bytes
                                                                                                        MD5 hash:ED666BF7F4A0766FCEC0E9C8074B089B
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.711210574.0000000004691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000000.393171200.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.706080641.00000000036DB000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000005.00000002.712472379.0000000007710000.00000004.00000001.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000000.394040229.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000000.394636472.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.701277187.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000005.00000002.712461562.0000000007700000.00000004.00000001.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000000.397247474.0000000000F12000.00000002.00000001.01000000.00000006.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                        • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Arnim Rupp
                                                                                                        • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: Joe Security
                                                                                                        • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\Pluto Panel.exe, Author: JPCERT/CC Incident Response Group
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:6
                                                                                                        Start time:18:00:44
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\test.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\test.exe"
                                                                                                        Imagebase:0xda0000
                                                                                                        File size:46080 bytes
                                                                                                        MD5 hash:7E50B292982932190179245C60C0B59B
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000000.397644420.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.701971433.0000000001354000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000000.405813841.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000000.394727625.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000000.399704980.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.703770994.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000002.701012196.0000000000DA2000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                                                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\test.exe, Author: Joe Security
                                                                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\test.exe, Author: ditekSHen
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:7
                                                                                                        Start time:18:00:50
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:549556 bytes
                                                                                                        MD5 hash:0FD7DE5367376231A788872005D7ED4F
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_ficker_stealer, Description: Yara detected Ficker Stealer, Source: 00000007.00000002.468272297.00000000024F0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 29%, Metadefender, Browse
                                                                                                        • Detection: 92%, ReversingLabs
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:8
                                                                                                        Start time:18:00:51
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\gay.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\gay.exe"
                                                                                                        Imagebase:0xd0000
                                                                                                        File size:37888 bytes
                                                                                                        MD5 hash:8EEDC01C11B251481DEC59E5308DCCC3
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000008.00000000.411478373.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000008.00000002.449565052.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000008.00000000.410285813.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000008.00000000.408615715.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000008.00000000.409570794.00000000000D2000.00000002.00000001.01000000.00000009.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\gay.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\gay.exe, Author: ditekSHen
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\gay.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:9
                                                                                                        Start time:18:00:53
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\Opus.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\Opus.exe"
                                                                                                        Imagebase:0x840000
                                                                                                        File size:208384 bytes
                                                                                                        MD5 hash:759185EE3724D7563B709C888C696959
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.414257385.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.707363158.0000000003ECB000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.414807841.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.416456851.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000002.700831183.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                        • Rule: NanoCore, Description: unknown, Source: 00000009.00000000.415266906.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000009.00000002.708577022.0000000005870000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000009.00000002.708751563.0000000005B00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Florian Roth
                                                                                                        • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Florian Roth
                                                                                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: ditekSHen
                                                                                                        • Rule: NanoCore, Description: unknown, Source: C:\Users\user\AppData\Roaming\Opus.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:11
                                                                                                        Start time:18:00:57
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\22.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\22.exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:2101248 bytes
                                                                                                        MD5 hash:DBF9DAA1707B1037E28A6E0694B33A4B
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: MALWARE_Win_BlackMoon, Description: Detects executables using BlackMoon RunTime, Source: C:\Users\user\AppData\Roaming\22.exe, Author: ditekSHen
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 38%, Metadefender, Browse
                                                                                                        • Detection: 86%, ReversingLabs
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:12
                                                                                                        Start time:18:00:57
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\aaa.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\aaa.exe"
                                                                                                        Imagebase:0x2c0000
                                                                                                        File size:122880 bytes
                                                                                                        MD5 hash:860AA57FC3578F7037BB27FC79B2A62C
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:14
                                                                                                        Start time:18:00:59
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\8f1c8b40c7be588389a8d382040b23bb.exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:1241088 bytes
                                                                                                        MD5 hash:8F1C8B40C7BE588389A8D382040B23BB
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:Visual Basic
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 26%, Metadefender, Browse
                                                                                                        • Detection: 86%, ReversingLabs
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:15
                                                                                                        Start time:18:00:59
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\0fd7de5367376231a788872005d7ed4f.exe"
                                                                                                        Imagebase:0x400000
                                                                                                        File size:549556 bytes
                                                                                                        MD5 hash:0FD7DE5367376231A788872005D7ED4F
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:16
                                                                                                        Start time:18:01:04
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\4.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\4.exe"
                                                                                                        Imagebase:0x11d0000
                                                                                                        File size:579127 bytes
                                                                                                        MD5 hash:E6DACE3F577AC7A6F9747B4A0956C8D7
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        • Detection: 17%, Metadefender, Browse
                                                                                                        • Detection: 75%, ReversingLabs
                                                                                                        Reputation:low

                                                                                                        General

                                                                                                        Target ID:17
                                                                                                        Start time:18:01:07
                                                                                                        Start date:08/03/2022
                                                                                                        Path:C:\Users\user\AppData\Roaming\mediaget.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\mediaget.exe"
                                                                                                        Imagebase:0xab0000
                                                                                                        File size:37888 bytes
                                                                                                        MD5 hash:8EEDC01C11B251481DEC59E5308DCCC3
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000000.445953483.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000002.701265514.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000003.646152049.0000000001338000.00000004.00000020.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000000.445251023.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000000.447375879.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: 00000011.00000000.446671445.0000000000AB2000.00000002.00000001.01000000.0000000F.sdmp, Author: Brian Wallace @botnet_hunter
                                                                                                        • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: C:\Users\user\AppData\Roaming\mediaget.exe, Author: Joe Security
                                                                                                        • Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: C:\Users\user\AppData\Roaming\mediaget.exe, Author: ditekSHen
                                                                                                        • Rule: njrat1, Description: Identify njRat, Source: C:\Users\user\AppData\Roaming\mediaget.exe, Author: Brian Wallace @botnet_hunter
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low

                                                                                                        Disassembly

                                                                                                        No disassembly