Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, | 0_2_004339B6 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, | 0_2_00452492 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, | 0_2_00442886 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, | 0_2_004788BD |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose, | 0_2_0045CAFA |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, | 0_2_00431A86 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, | 0_2_0044BD27 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0045DE8F FindFirstFileW,FindClose, | 0_2_0045DE8F |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, | 0_2_0044BF8B |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, | 9_2_004339B6 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, | 9_2_00452492 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, | 9_2_00442886 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, | 9_2_004788BD |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose, | 9_2_0045CAFA |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, | 9_2_00431A86 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, | 9_2_0044BD27 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0045DE8F FindFirstFileW,FindClose, | 9_2_0045DE8F |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, | 9_2_0044BF8B |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 10_2_00409253 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, | 10_2_0041C291 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, | 10_2_0040C34D |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 10_2_00409665 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0044E879 FindFirstFileExA, | 10_2_0044E879 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, | 10_2_0040880C |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0040783C FindFirstFileW,FindNextFileW, | 10_2_0040783C |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, | 10_2_00419AF5 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, | 10_2_0040BB30 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, | 10_2_0040BD37 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 21_2_00409253 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, | 21_2_0041C291 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, | 21_2_0040C34D |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 21_2_00409665 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0044E879 FindFirstFileExA, | 21_2_0044E879 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, | 21_2_0040880C |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0040783C FindFirstFileW,FindNextFileW, | 21_2_0040783C |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, | 21_2_00419AF5 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, | 21_2_0040BB30 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, | 21_2_0040BD37 |
Source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 9.2.parterres.exe.42d0000.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 9.2.parterres.exe.42d0000.1.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 9.2.parterres.exe.42d0000.1.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 7.2.parterres.exe.42c0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 7.2.parterres.exe.42c0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 7.2.parterres.exe.42c0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 21.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 21.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 21.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 20.2.parterres.exe.2fe0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 20.2.parterres.exe.2fe0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 20.2.parterres.exe.2fe0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 18.2.parterres.exe.4310000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 20.2.parterres.exe.2fe0000.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 18.2.parterres.exe.4310000.1.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 20.2.parterres.exe.2fe0000.1.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 18.2.parterres.exe.4310000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 20.2.parterres.exe.2fe0000.1.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 7.2.parterres.exe.42c0000.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 7.2.parterres.exe.42c0000.1.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 7.2.parterres.exe.42c0000.1.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 18.2.parterres.exe.4310000.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 18.2.parterres.exe.4310000.1.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 18.2.parterres.exe.4310000.1.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 9.2.parterres.exe.42d0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 9.2.parterres.exe.42d0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 9.2.parterres.exe.42d0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 21.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 21.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 21.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0000000A.00000002.3005417661.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0000000A.00000002.3005417661.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0000000A.00000002.3005417661.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000012.00000002.3016894901.0000000004310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000012.00000002.3016894901.0000000004310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000012.00000002.3016894901.0000000004310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000009.00000002.2869969455.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000009.00000002.2869969455.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000009.00000002.2869969455.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000014.00000002.3049768179.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000014.00000002.3049768179.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000014.00000002.3049768179.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000007.00000002.2836185950.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000007.00000002.2836185950.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000007.00000002.2836185950.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000015.00000002.3887790648.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000015.00000002.3887790648.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000015.00000002.3887790648.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: Process Memory Space: parterres.exe PID: 7632, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: parterres.exe PID: 6120, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: svchost.exe PID: 7544, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: parterres.exe PID: 764, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: parterres.exe PID: 7056, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: svchost.exe PID: 5952, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_004096A0 | 0_2_004096A0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0042200C | 0_2_0042200C |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0041A217 | 0_2_0041A217 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_00412216 | 0_2_00412216 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0042435D | 0_2_0042435D |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_004033C0 | 0_2_004033C0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0044F430 | 0_2_0044F430 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_004125E8 | 0_2_004125E8 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0044663B | 0_2_0044663B |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_00413801 | 0_2_00413801 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0042096F | 0_2_0042096F |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_004129D0 | 0_2_004129D0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_004119E3 | 0_2_004119E3 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0041C9AE | 0_2_0041C9AE |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0047EA6F | 0_2_0047EA6F |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0040FA10 | 0_2_0040FA10 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0044EB5F | 0_2_0044EB5F |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_00423C81 | 0_2_00423C81 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_00411E78 | 0_2_00411E78 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_00442E0C | 0_2_00442E0C |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_00420EC0 | 0_2_00420EC0 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0044CF17 | 0_2_0044CF17 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_00444FD2 | 0_2_00444FD2 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_017737A0 | 0_2_017737A0 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 7_2_02E337A0 | 7_2_02E337A0 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_004096A0 | 9_2_004096A0 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0042200C | 9_2_0042200C |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0041A217 | 9_2_0041A217 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_00412216 | 9_2_00412216 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0042435D | 9_2_0042435D |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_004033C0 | 9_2_004033C0 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0044F430 | 9_2_0044F430 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_004125E8 | 9_2_004125E8 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0044663B | 9_2_0044663B |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_00413801 | 9_2_00413801 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0042096F | 9_2_0042096F |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_004129D0 | 9_2_004129D0 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_004119E3 | 9_2_004119E3 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0041C9AE | 9_2_0041C9AE |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0047EA6F | 9_2_0047EA6F |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0040FA10 | 9_2_0040FA10 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0044EB5F | 9_2_0044EB5F |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_00423C81 | 9_2_00423C81 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_00411E78 | 9_2_00411E78 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_00442E0C | 9_2_00442E0C |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_00420EC0 | 9_2_00420EC0 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0044CF17 | 9_2_0044CF17 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_00444FD2 | 9_2_00444FD2 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_00A937A0 | 9_2_00A937A0 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0043E0CC | 10_2_0043E0CC |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0041F0FA | 10_2_0041F0FA |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00454159 | 10_2_00454159 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00438168 | 10_2_00438168 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_004461F0 | 10_2_004461F0 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0043E2FB | 10_2_0043E2FB |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0045332B | 10_2_0045332B |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0042739D | 10_2_0042739D |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_004374E6 | 10_2_004374E6 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0043E558 | 10_2_0043E558 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00438770 | 10_2_00438770 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_004378FE | 10_2_004378FE |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00433946 | 10_2_00433946 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0044D9C9 | 10_2_0044D9C9 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00427A46 | 10_2_00427A46 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0041DB62 | 10_2_0041DB62 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00427BAF | 10_2_00427BAF |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00437D33 | 10_2_00437D33 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00435E5E | 10_2_00435E5E |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00426E0E | 10_2_00426E0E |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0043DE9D | 10_2_0043DE9D |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00413FCA | 10_2_00413FCA |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00436FEA | 10_2_00436FEA |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 18_2_043037A0 | 18_2_043037A0 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 20_2_02EB37A0 | 20_2_02EB37A0 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0043E0CC | 21_2_0043E0CC |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0041F0FA | 21_2_0041F0FA |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00454159 | 21_2_00454159 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00438168 | 21_2_00438168 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_004461F0 | 21_2_004461F0 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0043E2FB | 21_2_0043E2FB |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0045332B | 21_2_0045332B |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0042739D | 21_2_0042739D |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_004374E6 | 21_2_004374E6 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0043E558 | 21_2_0043E558 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00438770 | 21_2_00438770 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_004378FE | 21_2_004378FE |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00433946 | 21_2_00433946 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0044D9C9 | 21_2_0044D9C9 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00427A46 | 21_2_00427A46 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0041DB62 | 21_2_0041DB62 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00427BAF | 21_2_00427BAF |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00437D33 | 21_2_00437D33 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00435E5E | 21_2_00435E5E |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00426E0E | 21_2_00426E0E |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0043DE9D | 21_2_0043DE9D |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00413FCA | 21_2_00413FCA |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00436FEA | 21_2_00436FEA |
Source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 10.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 9.2.parterres.exe.42d0000.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 9.2.parterres.exe.42d0000.1.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 9.2.parterres.exe.42d0000.1.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 7.2.parterres.exe.42c0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 7.2.parterres.exe.42c0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 7.2.parterres.exe.42c0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 21.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 21.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 21.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 20.2.parterres.exe.2fe0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 20.2.parterres.exe.2fe0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 20.2.parterres.exe.2fe0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 18.2.parterres.exe.4310000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 20.2.parterres.exe.2fe0000.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 18.2.parterres.exe.4310000.1.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 20.2.parterres.exe.2fe0000.1.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 18.2.parterres.exe.4310000.1.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 20.2.parterres.exe.2fe0000.1.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 7.2.parterres.exe.42c0000.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 7.2.parterres.exe.42c0000.1.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 7.2.parterres.exe.42c0000.1.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 10.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 18.2.parterres.exe.4310000.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 18.2.parterres.exe.4310000.1.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 18.2.parterres.exe.4310000.1.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 9.2.parterres.exe.42d0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 9.2.parterres.exe.42d0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 9.2.parterres.exe.42d0000.1.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 21.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 21.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 21.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0000000A.00000002.3005417661.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0000000A.00000002.3005417661.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0000000A.00000002.3005417661.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000012.00000002.3016894901.0000000004310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000012.00000002.3016894901.0000000004310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000012.00000002.3016894901.0000000004310000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000009.00000002.2869969455.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000009.00000002.2869969455.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000009.00000002.2869969455.00000000042D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000014.00000002.3049768179.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000014.00000002.3049768179.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000014.00000002.3049768179.0000000002FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000007.00000002.2836185950.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000007.00000002.2836185950.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000007.00000002.2836185950.00000000042C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000015.00000002.3887790648.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000015.00000002.3887790648.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000015.00000002.3887790648.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: Process Memory Space: parterres.exe PID: 7632, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: parterres.exe PID: 6120, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: svchost.exe PID: 7544, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: parterres.exe PID: 764, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: parterres.exe PID: 7056, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: svchost.exe PID: 5952, type: MEMORYSTR | Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Section loaded: wsock32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: wsock32.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: wsock32.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: rstrtmgr.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: ntasn1.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: sxs.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: vbscript.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msisip.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wshext.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: scrobj.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: mlang.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: scrrun.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: edputil.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: windows.staterepositoryps.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: appresolver.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: bcp47langs.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: slc.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: sppc.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: onecorecommonproxystub.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: onecoreuapcommonproxystub.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: wsock32.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: wsock32.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wininet.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: rstrtmgr.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: ntasn1.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\svchost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, | 0_2_004339B6 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, | 0_2_00452492 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, | 0_2_00442886 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, | 0_2_004788BD |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose, | 0_2_0045CAFA |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, | 0_2_00431A86 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, | 0_2_0044BD27 |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0045DE8F FindFirstFileW,FindClose, | 0_2_0045DE8F |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_107.exe | Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, | 0_2_0044BF8B |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose, | 9_2_004339B6 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose, | 9_2_00452492 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, | 9_2_00442886 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, | 9_2_004788BD |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose, | 9_2_0045CAFA |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, | 9_2_00431A86 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, | 9_2_0044BD27 |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0045DE8F FindFirstFileW,FindClose, | 9_2_0045DE8F |
Source: C:\Users\user\AppData\Local\Esher\parterres.exe | Code function: 9_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, | 9_2_0044BF8B |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 10_2_00409253 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, | 10_2_0041C291 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, | 10_2_0040C34D |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 10_2_00409665 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0044E879 FindFirstFileExA, | 10_2_0044E879 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, | 10_2_0040880C |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0040783C FindFirstFileW,FindNextFileW, | 10_2_0040783C |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, | 10_2_00419AF5 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, | 10_2_0040BB30 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 10_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, | 10_2_0040BD37 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 21_2_00409253 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, | 21_2_0041C291 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, | 21_2_0040C34D |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, | 21_2_00409665 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0044E879 FindFirstFileExA, | 21_2_0044E879 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, | 21_2_0040880C |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0040783C FindFirstFileW,FindNextFileW, | 21_2_0040783C |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, | 21_2_00419AF5 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, | 21_2_0040BB30 |
Source: C:\Windows\SysWOW64\svchost.exe | Code function: 21_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, | 21_2_0040BD37 |
Source: Amcache.hve.13.dr | Binary or memory string: VMware |
Source: Amcache.hve.13.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.13.dr | Binary or memory string: vmci.syshbin |
Source: Amcache.hve.13.dr | Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67 |
Source: Amcache.hve.13.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.13.dr | Binary or memory string: VMware20,1hbin@ |
Source: Amcache.hve.13.dr | Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
Source: Amcache.hve.13.dr | Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: Amcache.hve.13.dr | Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.13.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.13.dr | Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
Source: Amcache.hve.13.dr | Binary or memory string: c:/windows/system32/drivers/vmci.sys |
Source: Amcache.hve.13.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
Source: svchost.exe, 0000000A.00000002.3005723032.0000000002E12000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: Amcache.hve.13.dr | Binary or memory string: vmci.sys |
Source: Amcache.hve.13.dr | Binary or memory string: vmci.syshbin` |
Source: Amcache.hve.13.dr | Binary or memory string: \driver\vmci,\driver\pci |
Source: svchost.exe, 00000015.00000002.3888811642.0000000003012000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp |
Source: Amcache.hve.13.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
Source: Amcache.hve.13.dr | Binary or memory string: VMware20,1 |
Source: Amcache.hve.13.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.13.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.13.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.13.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.13.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.13.dr | Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
Source: Amcache.hve.13.dr | Binary or memory string: VMware PCI VMCI Bus Device |
Source: Amcache.hve.13.dr | Binary or memory string: VMware VMCI Bus Device |
Source: Amcache.hve.13.dr | Binary or memory string: VMware Virtual RAM |
Source: Amcache.hve.13.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.13.dr | Binary or memory string: vmci.inf_amd64_68ed49469341f563 |