Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0312A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, |
2_2_0312A632 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0312CAFC CryptUnprotectData,LocalAlloc,LocalFree, |
2_2_0312CAFC |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0312CF58 LocalAlloc,BCryptDecrypt,LocalFree, |
2_2_0312CF58 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0312CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, |
2_2_0312CC54 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0312CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, |
2_2_0312CCB4 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0312B15E lstrlenA,CryptStringToBinaryA,lstrcpyA, |
2_2_0312B15E |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: SHIPMENTDOCUMENTSPDF.exe PID: 6764, type: MEMORYSTR |
Source: SHIPMENTDOCUMENTSPDF.exe |
String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper |
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC: |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0312902E DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices, |
2_2_0312902E |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_031289D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx, |
2_2_031289D5 |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Author: unknown |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT |
Source: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_007D0E50 |
2_2_007D0E50 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0077EE20 |
2_2_0077EE20 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0077F730 |
2_2_0077F730 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_03131BF8 |
2_2_03131BF8 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_02731537 |
2_2_02731537 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: String function: 00754DD1 appears 270 times |
|
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: String function: 00751E1F appears 606 times |
|
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: String function: 031235E5 appears 40 times |
|
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: String function: 007525E5 appears 49 times |
|
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: String function: 00751DBB appears 36 times |
|
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: String function: 03130969 appears 47 times |
|
Source: SHIPMENTDOCUMENTSPDF.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: SHIPMENTDOCUMENTSPDF.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: SHIPMENTDOCUMENTSPDF.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: SHIPMENTDOCUMENTSPDF.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: SHIPMENTDOCUMENTSPDF.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: SHIPMENTDOCUMENTSPDF.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_03121190 push eax; ret |
2_2_031211A4 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_03121190 push eax; ret |
2_2_031211CC |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_02720ACF push eax; ret |
2_2_02720AE3 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_02720ACF push eax; ret |
2_2_02720B0B |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_02733DF0 push ebp; retf |
2_2_02733EA3 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0312A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, |
2_2_0312A6C8 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0312AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, |
2_2_0312AC0A |
Source: SHIPMENTDOCUMENTSPDF.exe |
String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList |
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp |
String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList |
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp |
String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType |
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp |
String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList |
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp |
String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_007DA290 mov eax, dword ptr fs:[00000030h] |
2_2_007DA290 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_03130619 mov eax, dword ptr fs:[00000030h] |
2_2_03130619 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_03130620 mov eax, dword ptr fs:[00000030h] |
2_2_03130620 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0313094E mov eax, dword ptr fs:[00000030h] |
2_2_0313094E |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0273028D mov eax, dword ptr fs:[00000030h] |
2_2_0273028D |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_02720467 mov eax, dword ptr fs:[00000030h] |
2_2_02720467 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_027384B1 mov eax, dword ptr fs:[00000030h] |
2_2_027384B1 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0272FF58 mov eax, dword ptr fs:[00000030h] |
2_2_0272FF58 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0272FF5F mov eax, dword ptr fs:[00000030h] |
2_2_0272FF5F |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_00784490 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_00784490 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_00784740 SetUnhandledExceptionFilter, |
2_2_00784740 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_00782EB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_00782EB0 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_0079B370 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_0079B370 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_031279E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, |
2_2_031279E8 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe |
Code function: 2_2_03131FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, |
2_2_03131FD8 |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: SHIPMENTDOCUMENTSPDF.exe PID: 6764, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |