Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0312A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0312CAFC CryptUnprotectData,LocalAlloc,LocalFree, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0312CF58 LocalAlloc,BCryptDecrypt,LocalFree, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0312CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0312CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0312B15E lstrlenA,CryptStringToBinaryA,lstrcpyA, |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: SHIPMENTDOCUMENTSPDF.exe PID: 6764, type: MEMORYSTR |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0312FF27 FindFirstFileW,FindNextFileW, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_03129DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, |
Source: SHIPMENTDOCUMENTSPDF.exe | String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper |
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp | String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC: |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0312902E DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_031289D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx, |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE | Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE | Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE | Matched rule: AveMaria_WarZone Author: unknown |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE | Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE | Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE | Matched rule: AveMaria_WarZone Author: unknown |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE | Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE | Matched rule: Detects Encrial credential stealer malware Author: Florian Roth |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE | Matched rule: AveMaria_WarZone Author: unknown |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE | Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE | Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE | Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.27389af.1.raw.unpack, type: UNPACKEDPE | Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE | Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE | Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE | Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE | Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE | Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE | Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE | Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE | Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE | Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE | Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE | Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE | Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT |
Source: 00000002.00000002.160901038082.000000000326F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_007D0E50 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0077EE20 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0077F730 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_03131BF8 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_02731537 |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: String function: 00754DD1 appears 270 times |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: String function: 00751E1F appears 606 times |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: String function: 031235E5 appears 40 times |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: String function: 007525E5 appears 49 times |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: String function: 00751DBB appears 36 times |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: String function: 03130969 appears 47 times |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0312D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, |
Source: SHIPMENTDOCUMENTSPDF.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: SHIPMENTDOCUMENTSPDF.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: SHIPMENTDOCUMENTSPDF.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: SHIPMENTDOCUMENTSPDF.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: SHIPMENTDOCUMENTSPDF.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: SHIPMENTDOCUMENTSPDF.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_03121190 push eax; ret |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_03121190 push eax; ret |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_02720ACF push eax; ret |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_02720ACF push eax; ret |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_02733DF0 push ebp; retf |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0312A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0312AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0312D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, |
Source: SHIPMENTDOCUMENTSPDF.exe | String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList |
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp | String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList |
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp | String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType |
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp | String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList |
Source: SHIPMENTDOCUMENTSPDF.exe, 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp | String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0312FF27 FindFirstFileW,FindNextFileW, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_03129DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_007DA290 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_03130619 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_03130620 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0313094E mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0273028D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_02720467 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_027384B1 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0272FF58 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0272FF5F mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_00784490 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_00784740 SetUnhandledExceptionFilter, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_00782EB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_0079B370 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_031279E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, |
Source: C:\Users\user\Desktop\SHIPMENTDOCUMENTSPDF.exe | Code function: 2_2_03131FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: SHIPMENTDOCUMENTSPDF.exe PID: 6764, type: MEMORYSTR |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.272053f.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.SHIPMENTDOCUMENTSPDF.exe.3120000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000002.160900903714.0000000003134000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.160900189054.0000000002720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |