Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49743 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49741 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49740 |
Source: unknown | Network traffic detected: HTTP traffic on port 49766 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49743 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49762 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49769 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49776 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49739 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49738 |
Source: unknown | Network traffic detected: HTTP traffic on port 49736 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49736 |
Source: unknown | Network traffic detected: HTTP traffic on port 49759 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49772 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49776 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49775 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49774 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49773 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49772 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49771 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49770 |
Source: unknown | Network traffic detected: HTTP traffic on port 49767 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49749 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49763 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49773 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49769 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49768 |
Source: unknown | Network traffic detected: HTTP traffic on port 49739 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49756 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49767 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49766 |
Source: unknown | Network traffic detected: HTTP traffic on port 49758 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49765 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49763 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49762 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49761 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49760 |
Source: unknown | Network traffic detected: HTTP traffic on port 49741 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49748 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49760 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49770 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49751 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49759 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49758 |
Source: unknown | Network traffic detected: HTTP traffic on port 49774 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49738 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49756 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49751 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49750 |
Source: unknown | Network traffic detected: HTTP traffic on port 49740 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49761 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49765 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49747 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49768 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49775 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49750 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49749 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49748 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49747 |
Source: unknown | Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 49771 -> 443 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 144.168.45.116 |
Source: unknown | TCP traffic detected without corresponding DNS query: 144.168.45.116 |
Source: unknown | TCP traffic detected without corresponding DNS query: 144.168.45.116 |
Source: unknown | TCP traffic detected without corresponding DNS query: 144.168.45.116 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 67.205.132.17 |
Source: unknown | TCP traffic detected without corresponding DNS query: 144.168.45.116 |
Source: unknown | TCP traffic detected without corresponding DNS query: 144.168.45.116 |
Source: iexplore.exe, 00000002.00000002.500224676.0000000004C70000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://67.205.132.17:443 |
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr | String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0 |
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr | String found in binary or memory: http://crl.globalsign.net/Root.crl0 |
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr | String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0 |
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr | String found in binary or memory: http://crl.globalsign.net/primobject.crl0N |
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr | String found in binary or memory: http://crl.globalsign.net/root.crl0 |
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr | String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09 |
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr | String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0 |
Source: cANdLlHS4N.exe, 00000000.00000002.246215033.0000000002880000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.245799041.0000000000B1E000.00000004.00000001.01000000.00000003.sdmp, obedience.exe, 00000001.00000002.247605132.0000000000496000.00000002.00000001.01000000.00000004.sdmp, obedience.exe, 00000003.00000000.262529824.0000000000496000.00000002.00000001.01000000.00000004.sdmp, obedience.exe.0.dr | String found in binary or memory: http://www.audio-tool.net |
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr | String found in binary or memory: http://www.globalsign.net/repository/0 |
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr | String found in binary or memory: http://www.globalsign.net/repository/03 |
Source: cANdLlHS4N.exe, 00000000.00000002.246524283.00000000029EF000.00000004.00000800.00020000.00000000.sdmp, cANdLlHS4N.exe, 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, obedience.exe.0.dr | String found in binary or memory: http://www.globalsign.net/repository09 |
Source: cANdLlHS4N.exe, type: SAMPLE | Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG |
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPE | Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPE | Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth |
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth |
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPE | Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPE | Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth |
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPE | Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPE | Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth |
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPE | Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPE | Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth |
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE | Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG |
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE | Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE | Matched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 0.0.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE | Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG |
Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 00000003.00000002.273655894.000000006EE51000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY | Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY | Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG |
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Red Leaves malware, related to APT10 Author: David Cannings |
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: RedLeaf crypto function Author: kev |
Source: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG |
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG |
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Red Leaves malware, related to APT10 Author: David Cannings |
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: RedLeaf crypto function Author: kev |
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth |
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG |
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Red Leaves malware, related to APT10 Author: David Cannings |
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: RedLeaf crypto function Author: kev |
Source: 00000000.00000000.235322946.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG |
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG |
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Red Leaves malware, related to APT10 Author: David Cannings |
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect RedLeaves in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG |
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG |
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Red Leaves malware, related to APT10 Author: David Cannings |
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: RedLeaf crypto function Author: kev |
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG |
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG |
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Red Leaves malware, related to APT10 Author: David Cannings |
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: RedLeaf crypto function Author: kev |
Source: 00000000.00000000.235102933.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG |
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTR | Matched rule: Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX Author: USG |
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTR | Matched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG |
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTR | Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG |
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTR | Matched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team |
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTR | Matched rule: Red Leaves malware, related to APT10 Author: David Cannings |
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTR | Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG |
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTR | Matched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team |
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTR | Matched rule: Red Leaves malware, related to APT10 Author: David Cannings |
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTR | Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG |
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTR | Matched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team |
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTR | Matched rule: Red Leaves malware, related to APT10 Author: David Cannings |
Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, type: DROPPED | Matched rule: Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT Author: USG |
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPED | Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG |
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPED | Matched rule: Detects malware from Operation Cloud Hopper Author: Florian Roth |
Source: cANdLlHS4N.exe, type: SAMPLE | Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. |
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPE | Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae |
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.unpack, type: UNPACKEDPE | Matched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPE | Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae |
Source: 0.2.cANdLlHS4N.exe.26e0000.2.raw.unpack, type: UNPACKEDPE | Matched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPE | Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae |
Source: 0.2.cANdLlHS4N.exe.26e0000.2.unpack, type: UNPACKEDPE | Matched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPE | Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae |
Source: 1.2.obedience.exe.6ed90000.1.unpack, type: UNPACKEDPE | Matched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPE | Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae |
Source: 3.2.obedience.exe.6ee50000.1.unpack, type: UNPACKEDPE | Matched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPE | Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae |
Source: 0.2.cANdLlHS4N.exe.ca8bf8.1.raw.unpack, type: UNPACKEDPE | Matched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36 |
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE | Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. |
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE | Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae |
Source: 0.2.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE | Matched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36 |
Source: 0.0.cANdLlHS4N.exe.9a0000.0.unpack, type: UNPACKEDPE | Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. |
Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36 |
Source: 00000000.00000002.246163618.0000000002710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score = |
Source: 00000003.00000002.273655894.000000006EE51000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY | Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae |
Source: 00000001.00000002.248376246.000000006ED91000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY | Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae |
Source: 00000000.00000000.235573187.0000000000CA2000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score = |
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A |
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10 |
Source: 00000002.00000002.499777419.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload |
Source: 00000000.00000002.245756146.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. |
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A |
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10 |
Source: 00000002.00000000.244543247.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload |
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae |
Source: 00000000.00000002.246143559.00000000026E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A |
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10 |
Source: 00000002.00000000.244858067.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload |
Source: 00000000.00000000.235322946.0000000000AD6000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. |
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A |
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10 |
Source: 00000002.00000002.500129541.0000000004B40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: RedLeaves hash1 = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481, author = JPCERT/CC Incident Response Group, description = detect RedLeaves in memory, rule_usage = memory block scan, reference = https://blogs.jpcert.or.jp/en/2017/05/volatility-plugin-for-detecting-redleaves-malware.html |
Source: 00000000.00000002.245504697.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. |
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A |
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10 |
Source: 00000001.00000002.248128854.0000000002580000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload |
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae |
Source: 00000000.00000002.246010185.0000000000CA2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36 |
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A |
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10 |
Source: 00000003.00000002.273510822.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: RedLeaf author = kev, description = RedLeaf crypto function, cape_type = RedLeaf Payload |
Source: 00000000.00000000.235102933.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. |
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTR | Matched rule: Dropper_DeploysMalwareViaSideLoading author = USG, description = Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481: drops REDLEAVES. 6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3: drops plugx. |
Source: Process Memory Space: cANdLlHS4N.exe PID: 6048, type: MEMORYSTR | Matched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36 |
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTR | Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A |
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTR | Matched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538 |
Source: Process Memory Space: obedience.exe PID: 488, type: MEMORYSTR | Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10 |
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTR | Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A |
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTR | Matched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538 |
Source: Process Memory Space: iexplore.exe PID: 5844, type: MEMORYSTR | Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10 |
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTR | Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A |
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTR | Matched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538 |
Source: Process Memory Space: obedience.exe PID: 5080, type: MEMORYSTR | Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10 |
Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, type: DROPPED | Matched rule: REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief author = USG, description = Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = fb0c714cd2ebdcc6f33817abe7813c36 |
Source: C:\Users\user\AppData\Local\Temp\handkerchief.dat, type: DROPPED | Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score = |
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPED | Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae |
Source: C:\Users\user\AppData\Local\Temp\StarBurn.dll, type: DROPPED | Matched rule: OpCloudHopper_Malware_6 date = 2017-04-03, hash1 = aabebea87f211d47f72d662e2449009f83eac666d81b8629cf57219d0ce31af6, author = Florian Roth, description = Detects malware from Operation Cloud Hopper, reference = https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE |
Source: C:\Users\user\Desktop\cANdLlHS4N.exe | Code function: 0_2_00A539D2 |
Source: C:\Users\user\Desktop\cANdLlHS4N.exe | Code function: 0_2_00AADB4F |
Source: C:\Users\user\Desktop\cANdLlHS4N.exe | Code function: 0_2_00ABECDC |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00482618 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_004847E4 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0045893C |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0043AC9C |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00477074 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0045DB80 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_6EDA0F49 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_6EDA0B77 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_6EDA07D9 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_03029246 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_0302D2F5 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_0300312C |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_0300B053 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_03019774 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_0302962E |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_03028641 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_0300E6C7 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_0300E4BC |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_03028AD6 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_0302D846 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_0302FE65 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_03028E74 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_0302CDA4 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_03022DC8 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_0302EC5B |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B4E428 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B685AD |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B6959A |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B68DE0 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B6FDD1 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B62D34 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B6CD10 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B596E0 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B4E633 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B6D7B2 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B4AFBF |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B43098 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B691B2 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B6D261 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B68A42 |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: 2_2_04B6EBC7 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_00482618 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_004847E4 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_0045893C |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_0043AC9C |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_00477074 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_0045DB80 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_6EE60F49 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_6EE60B77 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_6EE607D9 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_6EE60344 |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_004637A8 NtdllDefWindowProc_A, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0045893C GetSubMenu,SaveDC,RestoreDC,73BEB080,SaveDC,RestoreDC,NtdllDefWindowProc_A, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00448B44 NtdllDefWindowProc_A,GetCapture, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0043AFAC NtdllDefWindowProc_A, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_004637A8 NtdllDefWindowProc_A, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_0045893C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_00448B44 NtdllDefWindowProc_A,GetCapture, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_0043AFAC NtdllDefWindowProc_A, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
Source: C:\Users\user\Desktop\cANdLlHS4N.exe | Code function: 0_2_00AAD385 push ecx; ret |
Source: C:\Users\user\Desktop\cANdLlHS4N.exe | Code function: 0_2_00AAD30A push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00450214 push 004502A1h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0048A028 push 0048A054h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_004660E8 push 00466114h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0043E0F8 push 0043E124h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00482094 push ecx; mov dword ptr [esp], edx |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00486158 push 00486184h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00466120 push 0046614Ch; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0043018C push 004301B8h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_004501AC push 00450212h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00488254 push 00488280h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0043E260 push 0043E28Ch; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0048821C push 00488248h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0048A310 push 0048A33Ch; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_004205FC push ecx; mov dword ptr [esp], edx |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0048A5A4 push 0048A5D0h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0041867C push ecx; mov dword ptr [esp], eax |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00466714 push 00466757h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_004188E0 push ecx; mov dword ptr [esp], edx |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0041C968 push ecx; mov dword ptr [esp], edx |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0048A9C0 push 0048A9ECh; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0042CA4C push 0042CB1Ch; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0048CA34 push 0048CA60h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00466B78 push 00466BA4h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00406B08 push 00406B59h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00418B08 push ecx; mov dword ptr [esp], edx |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00430B10 push 00430B5Fh; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00416BD4 push 00416C21h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00466BE8 push 00466C14h; ret |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00466BB0 push 00466BDCh; ret |
Source: C:\Users\user\Desktop\cANdLlHS4N.exe | Code function: 0_2_009A836B IsWindowVisible,IsIconic, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00463830 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0044A290 IsIconic,GetCapture, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00460740 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0044AB44 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0044B468 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_0042D738 IsIconic,GetWindowPlacement,GetWindowRect, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 1_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_00463830 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_0044A290 IsIconic,GetCapture, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_00460740 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_0044AB44 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_0044B468 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_0042D738 IsIconic,GetWindowPlacement,GetWindowRect, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_00463F4C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: 3_2_00463FFC IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, |
Source: C:\Users\user\Desktop\cANdLlHS4N.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
Source: C:\Users\user\Desktop\cANdLlHS4N.exe | Code function: GetLocaleInfoA, |
Source: C:\Users\user\Desktop\cANdLlHS4N.exe | Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, |
Source: C:\Users\user\Desktop\cANdLlHS4N.exe | Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, |
Source: C:\Users\user\Desktop\cANdLlHS4N.exe | Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s, |
Source: C:\Users\user\Desktop\cANdLlHS4N.exe | Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: GetLocaleInfoA, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: GetLocaleInfoA, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: GetLocaleInfoA, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: GetLocaleInfoA,GetACP, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: GetLastError,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: GetLocaleInfoA, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: GetLocaleInfoA, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: GetLocaleInfoW, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: GetLocaleInfoA, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: EnumSystemLocalesA, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: GetLocaleInfoA, |
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe | Code function: EnumSystemLocalesA, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: GetLocaleInfoA, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: GetLocaleInfoA, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: GetLocaleInfoA, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: GetLocaleInfoA,GetACP, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, |
Source: C:\Users\user\AppData\Local\Temp\obedience.exe | Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, |