Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe

Overview

General Information

Sample Name: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
Analysis ID: 753413
MD5: 2015410bb46bda0bd98be49f2ca03e00
SHA1: f500da9df562378cd0565485489321d59fa1699c
SHA256: c36284bc37b2aaf39d2e911ef97aac1fa583ca30d90f2cd006635f8f5bf0d7e1
Tags: AveMariaRATexe
Infos:

Detection

AveMaria, UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe ReversingLabs: Detection: 19%
Source: Yara match File source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df8cd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: hAwKqJPm.exe PID: 868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5584, type: MEMORYSTR
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe ReversingLabs: Detection: 19%
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Joe Sandbox ML: detected
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack Avira: Label: TR/Downloader.Gen
Source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: AveMaria {"C2 url": "leekong.duckdns.org", "port": 6640}

Exploits

barindex
Source: Yara match File source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.498f1a0.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.464c000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.268913110.0000000000562000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.279119713.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: hAwKqJPm.exe PID: 868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5584, type: MEMORYSTR
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

barindex
Source: Traffic Snort IDS: 2038897 ET TROJAN Warzone RAT Response (Inbound) 103.150.8.47:6640 -> 192.168.2.3:49691
Source: Traffic Snort IDS: 2852356 ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket 103.150.8.47:6640 -> 192.168.2.3:49691
Source: Traffic Snort IDS: 2851895 ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 103.150.8.47:6640 -> 192.168.2.3:49691
Source: Traffic Snort IDS: 2852357 ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse 192.168.2.3:49691 -> 103.150.8.47:6640
Source: Traffic Snort IDS: 2851933 ETPRO TROJAN Ave Maria/Warzone RAT ListPasswordsCommand 103.150.8.47:6640 -> 192.168.2.3:49691
Source: Traffic Snort IDS: 2851945 ETPRO TROJAN Ave Maria/Warzone RAT PingCommand 103.150.8.47:6640 -> 192.168.2.3:49691
Source: Traffic Snort IDS: 2851946 ETPRO TROJAN Ave Maria/Warzone RAT PingResponse 192.168.2.3:49691 -> 103.150.8.47:6640
Source: Malware configuration extractor URLs: leekong.duckdns.org
Source: unknown DNS query: name: leekong.duckdns.org
Source: Joe Sandbox View ASN Name: XTOM-AS-JPxTomJP XTOM-AS-JPxTomJP
Source: global traffic TCP traffic: 192.168.2.3:49691 -> 103.150.8.47:6640
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244875435.0000000006216000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://en.w
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244541126.0000000006233000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244510338.0000000006233000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244485601.0000000006232000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244567187.0000000006233000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244597426.0000000006233000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://en.wikipedia
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246736589.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246673230.0000000006217000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254219136.0000000006217000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254219136.0000000006217000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersiva
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF2
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250009805.000000000621C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comK
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254614525.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.288947142.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254219136.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254731944.000000000621C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254614525.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.288947142.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254219136.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254731944.000000000621C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comceco
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comcomF2
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250009805.000000000621C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250009805.000000000621C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comgritog
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comiced
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254614525.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.288947142.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254731944.000000000621C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comionm
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comlicr
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.251108759.000000000621C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comn
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.251108759.000000000621C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.251222842.000000000621C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comonyd
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comx
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246129356.0000000006218000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246006407.0000000006217000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246180301.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246129356.0000000006218000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnG
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246180301.0000000006217000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnX
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246006407.0000000006217000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnion
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/2
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/s_tr
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ww.mK
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245634926.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247567253.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244950903.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245165040.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244885604.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244712367.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247480222.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244827108.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244764143.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245711171.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244742234.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245899283.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245260378.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246660475.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245075024.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246297100.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247170656.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245317017.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247119623.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245431681.000000000622B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245634926.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247567253.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244950903.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245165040.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244885604.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247480222.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244827108.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244764143.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245711171.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245899283.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245260378.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246660475.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245075024.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246297100.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247170656.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245317017.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247119623.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245431681.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246576079.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244800921.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246100788.000000000622B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comG
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245634926.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247567253.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244950903.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245165040.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244885604.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247480222.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244827108.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244764143.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245711171.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245899283.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245260378.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246660475.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245075024.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246297100.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247170656.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245317017.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247119623.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245431681.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246576079.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244800921.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246100788.000000000622B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comegQ
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248060428.0000000006245000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248114380.0000000006244000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248094904.0000000006246000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com-s
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.279232900.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper-instInitWindows
Source: unknown DNS traffic detected: queries for: leekong.duckdns.org
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData

E-Banking Fraud

barindex
Source: Yara match File source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df8cd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: hAwKqJPm.exe PID: 868, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5584, type: MEMORYSTR

System Summary

barindex
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.498f1a0.13.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.498f1a0.13.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.498f1a0.13.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.464c000.10.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000006.00000000.268913110.0000000000562000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000006.00000003.279119713.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Code function: 0_2_0325C164 0_2_0325C164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Code function: 0_2_0325E5A0 0_2_0325E5A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Code function: 0_2_0325E5B0 0_2_0325E5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Code function: 0_2_07CE0040 0_2_07CE0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Code function: 0_2_07CE0037 0_2_07CE0037
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Code function: 0_2_094C0040 0_2_094C0040
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Code function: 5_2_04D2E5B0 5_2_04D2E5B0
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Code function: 5_2_04D2E5A0 5_2_04D2E5A0
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Code function: 5_2_04D2C164 5_2_04D2C164
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Code function: 5_2_08230006 5_2_08230006
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Code function: 5_2_08230040 5_2_08230040
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000000.241559617.0000000000FA8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNvAX.exe8 vs SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.290690250.0000000007B30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Binary or memory string: OriginalFilenameNvAX.exe8 vs SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: hAwKqJPm.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe ReversingLabs: Detection: 19%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Jump to behavior
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hAwKqJPm.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp58FB.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\hAwKqJPm.exe C:\Users\user\AppData\Roaming\hAwKqJPm.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp9691.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process created: C:\Users\user\AppData\Roaming\hAwKqJPm.exe C:\Users\user\AppData\Roaming\hAwKqJPm.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hAwKqJPm.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp58FB.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp9691.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process created: C:\Users\user\AppData\Roaming\hAwKqJPm.exe C:\Users\user\AppData\Roaming\hAwKqJPm.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe File created: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe File created: C:\Users\user\AppData\Local\Temp\tmp58FB.tmp Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.expl.evad.winEXE@15/9@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1832:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2292:120:WilError_01
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Mutant created: \Sessions\1\BaseNamedObjects\bAWcTXuCgNjR
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5176:120:WilError_01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe File created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, MIllionaire/NewQuestion.cs .Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: hAwKqJPm.exe.0.dr, MIllionaire/NewQuestion.cs .Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.ed0000.0.unpack, MIllionaire/NewQuestion.cs .Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Code function: 0_2_094C35F7 push edi; retf 0_2_094C35FE
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Code function: 5_2_0909249D push FFFFFF8Bh; iretd 5_2_090924A7
Source: initial sample Static PE information: section name: .text entropy: 7.699539405299492
Source: initial sample Static PE information: section name: .text entropy: 7.699539405299492
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe File created: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp58FB.tmp

Hooking and other Techniques for Hiding and Protection

barindex
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.279232900.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.279232900.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ed_key":""}DPAPITermService%ProgramFiles%%windir%\System32%ProgramW6432%%ProgramFiles%\Microsoft DN1\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dll\sqlmap.dllrudprpdprudpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListrpdpSeDebugPrivilege%SystemRoot%\System32\termsrv.dllrudprpdpSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathSYSTEM\CurrentControlSet\Services\TermService\Parameterssvchost.exesvchost.exe -kServiceDllCertPropSvcSessionEnvServicesActiveEnableConcurrentSessionsSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllAllowMultipleTSSessionsNameSYSTEM\CurrentControlSet\Control\Terminal ServerRDPClipTypeSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonTypeSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsServicesActiveServicesActiveServicesActive
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe File opened: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: hAwKqJPm.exe PID: 868, type: MEMORYSTR
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe TID: 5280 Thread sleep time: -42186s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe TID: 5416 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2572 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe TID: 4632 Thread sleep time: -42186s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe TID: 2820 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9291 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Thread delayed: delay time: 42186 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Thread delayed: delay time: 42186 Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
Source: hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: hAwKqJPm.exe, 00000013.00000003.303113348.0000000001161000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Memory written: C:\Users\user\AppData\Roaming\hAwKqJPm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hAwKqJPm.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hAwKqJPm.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hAwKqJPm.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp58FB.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp9691.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe Process created: C:\Users\user\AppData\Roaming\hAwKqJPm.exe C:\Users\user\AppData\Roaming\hAwKqJPm.exe Jump to behavior