Source: I7fn013KZY.exe, 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp |
String found in binary or memory: ftp://http://https://ftp.fireFTPsites.datSeaMonkey |
Source: I7fn013KZY.exe, 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.79.156.18/bit |
Source: I7fn013KZY.exe, 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp |
String found in binary or memory: http://185.79.156.18/bit/03/gate.php |
Source: I7fn013KZY.exe, 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp |
String found in binary or memory: http://185.79.156.18/bit/03/gate.phpYUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 |
Source: I7fn013KZY.exe, 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp |
String found in binary or memory: http://https://ftp://operawand.dat_Software |
Source: I7fn013KZY.exe, 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, I7fn013KZY.exe, 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.496550551.0000000000413000.00000002.00000400.00020000.00000000.sdmp |
String found in binary or memory: http://www.ibsensoftware.com/ |
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: CallHistoryClient.exe.0.dr |
String found in binary or memory: https://precisionsec.com/wp-content/uploads/2017/07/precisionsec-logo-website-edited-1-e150043196313 |
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search |
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= |
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp |
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf |
Source: RegAsm.exe, 00000001.00000003.493312146.0000000001670000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: 0.3.I7fn013KZY.exe.d70000.2.unpack, type: UNPACKEDPE |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 0.3.I7fn013KZY.exe.d70000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 0.3.I7fn013KZY.exe.d70000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 0.3.I7fn013KZY.exe.d70000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 0.3.I7fn013KZY.exe.3d110a8.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 0.3.I7fn013KZY.exe.3d110a8.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 0.3.I7fn013KZY.exe.3ce19e0.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 0.3.I7fn013KZY.exe.3ce19e0.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: Process Memory Space: I7fn013KZY.exe PID: 6080, type: MEMORYSTR |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: Process Memory Space: I7fn013KZY.exe PID: 6080, type: MEMORYSTR |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: Process Memory Space: RegAsm.exe PID: 4528, type: MEMORYSTR |
Matched rule: Identify Pony Author: Brian Wallace @botnet_hunter |
Source: Process Memory Space: RegAsm.exe PID: 4528, type: MEMORYSTR |
Matched rule: Windows_Trojan_Pony_d5516fe8 Author: unknown |
Source: I7fn013KZY.exe, type: SAMPLE |
Matched rule: SUSP_Imphash_Mar23_3 date = 2023-03-23, author = Arnim Rupp (https://github.com/ruppde), description = Detects imphash often found in malware samples (Maximum 0,25% hits with search for \'imphash:x p:0\' on Virustotal) = 99,75% hits, score = b5296cf0eb22fba6e2f68d0c9de9ef7845f330f7c611a0d60007aa87e270c62a, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = fe53b9d820adf3bcddf42976b8af1411e87d9dfd9aa479f12b2db50a5600f348 |
Source: 0.3.I7fn013KZY.exe.d70000.2.unpack, type: UNPACKEDPE |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 0.3.I7fn013KZY.exe.d70000.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 0.3.I7fn013KZY.exe.d70000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 0.3.I7fn013KZY.exe.d70000.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack, type: UNPACKEDPE |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 0.3.I7fn013KZY.exe.3d110a8.3.raw.unpack, type: UNPACKEDPE |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 0.3.I7fn013KZY.exe.3d110a8.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.4.raw.unpack, type: UNPACKEDPE |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 0.3.I7fn013KZY.exe.3ce19e0.0.raw.unpack, type: UNPACKEDPE |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 0.3.I7fn013KZY.exe.3ce19e0.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.5.raw.unpack, type: UNPACKEDPE |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.5.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 0.3.I7fn013KZY.exe.3cf7fe8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 0.0.I7fn013KZY.exe.dc0000.0.unpack, type: UNPACKEDPE |
Matched rule: SUSP_Imphash_Mar23_3 date = 2023-03-23, author = Arnim Rupp (https://github.com/ruppde), description = Detects imphash often found in malware samples (Maximum 0,25% hits with search for \'imphash:x p:0\' on Virustotal) = 99,75% hits, score = b5296cf0eb22fba6e2f68d0c9de9ef7845f330f7c611a0d60007aa87e270c62a, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = fe53b9d820adf3bcddf42976b8af1411e87d9dfd9aa479f12b2db50a5600f348 |
Source: 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000001.00000002.496556491.0000000000414000.00000004.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: Process Memory Space: I7fn013KZY.exe PID: 6080, type: MEMORYSTR |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: Process Memory Space: I7fn013KZY.exe PID: 6080, type: MEMORYSTR |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: Process Memory Space: RegAsm.exe PID: 4528, type: MEMORYSTR |
Matched rule: pony date = 2014-08-16, author = Brian Wallace @botnet_hunter, description = Identify Pony, author_email = bwall@ballastsecurity.net |
Source: Process Memory Space: RegAsm.exe PID: 4528, type: MEMORYSTR |
Matched rule: Windows_Trojan_Pony_d5516fe8 reference_sample = 423e792fcd00265960877482e8148a0d49f0898f4bbc190894721fde22638567, os = windows, severity = x86, creation_date = 2021-08-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Pony, fingerprint = 9d4d847f55a693a45179a904efe20afd05a92650ac47fb19ef523d469a33795f, id = d5516fe8-3b25-4c46-9e5b-111ca312a824, last_modified = 2021-10-04 |
Source: C:\Users\user\AppData\Roaming\BitLockerWizardElev\CallHistoryClient.exe, type: DROPPED |
Matched rule: SUSP_Imphash_Mar23_3 date = 2023-03-23, author = Arnim Rupp (https://github.com/ruppde), description = Detects imphash often found in malware samples (Maximum 0,25% hits with search for \'imphash:x p:0\' on Virustotal) = 99,75% hits, score = b5296cf0eb22fba6e2f68d0c9de9ef7845f330f7c611a0d60007aa87e270c62a, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/SigmaHQ/Detection-Rule-License, hash = fe53b9d820adf3bcddf42976b8af1411e87d9dfd9aa479f12b2db50a5600f348 |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00DC3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow, |
0_2_00DC3633 |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00DC189B NtdllDialogWndProc_W, |
0_2_00DC189B |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4C8BE NtdllDialogWndProc_W, |
0_2_00E4C8BE |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4C88F NtdllDialogWndProc_W, |
0_2_00E4C88F |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W, |
0_2_00E4C498 |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4C860 NtdllDialogWndProc_W, |
0_2_00E4C860 |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W, |
0_2_00E4D43E |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W, |
0_2_00E4C5FE |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W, |
0_2_00E4C1AC |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4C57D SendMessageW,NtdllDialogWndProc_W, |
0_2_00E4C57D |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4C93E ClientToScreen,NtdllDialogWndProc_W, |
0_2_00E4C93E |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4C909 NtdllDialogWndProc_W, |
0_2_00E4C909 |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00DC16DE GetParent,NtdllDialogWndProc_W, |
0_2_00DC16DE |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00DC1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient, |
0_2_00DC1290 |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
0_2_00E4CABC |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00DC1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73C34310,NtdllDialogWndProc_W, |
0_2_00DC1287 |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00DC16B5 NtdllDialogWndProc_W, |
0_2_00DC16B5 |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4CA7C GetWindowLongW,NtdllDialogWndProc_W, |
0_2_00E4CA7C |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00DC167D NtdllDialogWndProc_W, |
0_2_00DC167D |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4D3B8 NtdllDialogWndProc_W, |
0_2_00E4D3B8 |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W, |
0_2_00E4BF8C |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4D78C NtdllDialogWndProc_W, |
0_2_00E4D78C |
Source: C:\Users\user\Desktop\I7fn013KZY.exe |
Code function: 0_2_00E4BF30 NtdllDialogWndProc_W, |
0_2_00E4BF30 |
Source: Yara match |
File source: 0.3.I7fn013KZY.exe.3d110a8.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.I7fn013KZY.exe.d70000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.I7fn013KZY.exe.3cf7fe8.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.I7fn013KZY.exe.3cf7fe8.6.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.I7fn013KZY.exe.3ce19e0.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.I7fn013KZY.exe.d70000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.I7fn013KZY.exe.3cf7fe8.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.I7fn013KZY.exe.3cf7fe8.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.I7fn013KZY.exe.3d110a8.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.I7fn013KZY.exe.3cf7fe8.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.I7fn013KZY.exe.3cf7fe8.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.I7fn013KZY.exe.3ce19e0.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.I7fn013KZY.exe.3cf7fe8.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.3.I7fn013KZY.exe.3cf7fe8.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.496550551.0000000000413000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.354101634.0000000003CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.355330639.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.355470193.0000000003D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.353846932.0000000003CF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.356276223.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.356276223.0000000003CCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.353791331.0000000003CA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.355470193.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.358388594.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.353649369.0000000003B22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000003.356873401.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: I7fn013KZY.exe PID: 6080, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegAsm.exe PID: 4528, type: MEMORYSTR |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\ExpanDrive\drives.js |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\CuteFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Quick.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\History.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\History.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\SharedSettings_1_0_5.ccs |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\wcx_ftp.ini |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\ExpanDrive\drives.js |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\RhinoSoft.com\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\SharedSettings.ccs |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Pro\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.sqlite |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\FlashFXP\4\History.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_CURRENT_USER\Software\TurboFTP |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\FlashFXP\3\Sites.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\FlashFXP\3\History.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\FlashFXP\3\Sites.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\AceBIT |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\LeapWare\LeapFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\CuteFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\TurboFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\GPSoftware\Directory Opus\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\FlashFXP\4\Quick.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.sqlite |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\GPSoftware\Directory Opus\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\GHISLER\wcx_ftp.ini |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_CURRENT_USER\Software\AceBIT |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Sites.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\BitKinex\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP Lite\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\FileZilla\filezilla.xml |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.ccs |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\BitKinex\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\SharedSettings_1_0_5.sqlite |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Program Files (x86)\CuteFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\SharedSettings.ccs |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.ccs |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings_1_0_5.ccs |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\GHISLER\wcx_ftp.ini |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\FileZilla\recentservers.xml |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\FileZilla\sitemanager.xml |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\FlashFXP\4\Sites.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\GlobalSCAPE\CuteFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.sqlite |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\FTP Explorer\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\FTPGetter\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\FileZilla\recentservers.xml |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\Frigate3\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Program Files (x86)\CuteFTP\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\FTPRush\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Frigate3\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.ccs |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\CuteFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings_1_0_5.sqlite |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_LOCAL_MACHINE\Software\WOW6432Node\TurboFTP |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\SmartFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\SharedSettings.sqlite |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\Estsoft\ALFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Pro\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\BitKinex\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\FTPRush\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_CURRENT_USER\Software\FTP Explorer\Profiles |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\FTP Explorer\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\Frigate3\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\SmartFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\FileZilla\sitemanager.xml |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\CoffeeCup Software\SharedSettings.sqlite |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\TurboFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\CuteFTP\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\FileZilla\filezilla.xml |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\TurboFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\FTPGetter\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\SharedSettings_1_0_5.sqlite |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.sqlite |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\FlashFXP\3\Quick.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\Estsoft\ALFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Pro\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\ExpanDrive\drives.js |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\SharedSettings.ccs |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\FTPGetter\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\AceBIT\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\FTP Explorer\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\CuteFTP\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\GPSoftware\Directory Opus\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\LeapWare\LeapFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\FlashFXP\3\Sites.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\AceBIT\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\SharedSettings_1_0_5.ccs |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\SmartFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\LeapWare\LeapFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\CoffeeCup Software\SharedSettings.ccs |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\CoffeeCup Software\SharedSettings.ccs |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\SharedSettings.sqlite |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\AceBIT\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\SharedSettings.sqlite |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\GlobalSCAPE\CuteFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.sqlite |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Windows\32BitFtp.ini |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Pro\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\FlashFXP\4\Quick.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\FlashFXP\3\Quick.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\CuteFTP\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\RhinoSoft.com\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\FlashFXP\4\Sites.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\FlashFXP\4\Quick.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\FileZilla\filezilla.xml |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\FTPRush\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Local\RhinoSoft.com\ |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Users\user\AppData\Roaming\GlobalSCAPE\CuteFTP Lite\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\GlobalSCAPE\CuteFTP Lite\sm.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\FlashFXP\3\History.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: HKEY_LOCAL_MACHINE\Software\TurboFTP |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\FlashFXP\4\History.dat |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\ProgramData\CoffeeCup Software\SharedSettings_1_0_5.ccs |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Windows\wcx_ftp.ini |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
File opened: C:\Program Files (x86)\GlobalSCAPE\CuteFTP Lite\sm.dat |
Jump to behavior |