Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Avira: detected |
Source: 00000000.00000002.4093017594.0000000003259000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: Njrat {"Host": "googledocs.duckdns.org:1316", "Campaign ID": "EaseUs", "Install Name": "6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe", "Install Dir": "Desktop"} |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
ReversingLabs: Detection: 65% |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Virustotal: Detection: 74% |
Perma Link |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe PID: 6560, type: MEMORYSTR |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.9% probability |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Joe Sandbox ML: detected |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll |
Jump to behavior |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: C:\Users\Rahoz\Desktop\Enc Projects\Kurd Crypter\ClassLibrary1\ClassLibrary1\obj\Debug\ClassLibrary1.pdb source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: C:\Users\Rahoz\Desktop\Enc Projects\Kurd Crypter\ClassLibrary1\ClassLibrary1\obj\Debug\ClassLibrary1.pdbQckc ]c_CorDllMainmscoree.dll source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: E:\Hacking\njrat 0.7d Private Edition\Edited Stub SRC\j\obj\Debug\Rrr.pdb source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 4x nop then mov ecx, dword ptr [041D6EA4h] |
0_2_0537342A |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] |
0_2_05370070 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 4x nop then mov ecx, dword ptr [041D6E84h] |
0_2_05372C78 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 4x nop then jmp 05372C48h |
0_2_05372782 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 4x nop then mov eax, dword ptr [ebp-000000A8h] |
0_2_05371180 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 4x nop then mov ecx, dword ptr [041D6EA4h] |
0_2_05373510 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] |
0_2_05370006 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49735 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49735 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49735 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49738 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49738 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49738 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49743 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49743 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49743 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49744 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49744 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49744 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49745 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49745 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49745 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49747 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49747 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49748 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49748 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49749 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49749 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49750 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49750 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49751 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49751 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53422 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53422 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53423 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53423 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53424 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53424 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53425 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:53425 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53425 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53426 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53426 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53427 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53427 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53428 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53428 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53429 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53429 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:53430 -> 192.169.69.25:1316 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:53430 -> 192.169.69.25:1316 |
Source: Malware configuration extractor |
URLs: googledocs.duckdns.org:1316 |
Source: unknown |
DNS query: name: googledocs.duckdns.org |
Source: Joe Sandbox View |
IP Address: 192.169.69.25 192.169.69.25 |
Source: Joe Sandbox View |
IP Address: 192.169.69.25 192.169.69.25 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: googledocs.duckdns.org |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4092491974.000000000119F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredI0i |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0 |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05 |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0B |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4092491974.000000000119F000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0xh |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: http://ocsp.digicert.com0C |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: http://ocsp.digicert.com0N |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: http://ocsp.thawte.com0 |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: http://www.videolan.org/0 |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe PID: 6560, type: MEMORYSTR |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE |
Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE |
Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 0_2_0537342A |
0_2_0537342A |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 0_2_05372C78 |
0_2_05372C78 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 0_2_05372782 |
0_2_05372782 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 0_2_05371180 |
0_2_05371180 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 0_2_05374DE0 |
0_2_05374DE0 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 0_2_05370510 |
0_2_05370510 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 0_2_05372C68 |
0_2_05372C68 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 0_2_05370D98 |
0_2_05370D98 |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Static PE information: invalid certificate |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000000.1626633923.0000000000AF2000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamePicasa.exe. vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameRrr.exe, vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4092491974.000000000116E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamemscorwks.dllT vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameClassLibrary1.dll< vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094468912.00000000057E0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameIntro.exe, vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameIntro.exe, vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameRrr.exe, vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Binary or memory string: OriginalFilenamePicasa.exe. vs 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE |
Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE |
Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE |
Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@1/0@16/1 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 0_2_010DAD42 AdjustTokenPrivileges, |
0_2_010DAD42 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Code function: 0_2_010DAD0B AdjustTokenPrivileges, |
0_2_010DAD0B |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Mutant created: \Sessions\1\BaseNamedObjects\[RG] |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Mutant created: NULL |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01% |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
ReversingLabs: Detection: 65% |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Virustotal: Detection: 74% |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
File read: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: riched20.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: usp10.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: shfolder.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: avicap32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: msvfw32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll |
Jump to behavior |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll |
Jump to behavior |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: C:\Users\Rahoz\Desktop\Enc Projects\Kurd Crypter\ClassLibrary1\ClassLibrary1\obj\Debug\ClassLibrary1.pdb source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: C:\Users\Rahoz\Desktop\Enc Projects\Kurd Crypter\ClassLibrary1\ClassLibrary1\obj\Debug\ClassLibrary1.pdbQckc ]c_CorDllMainmscoree.dll source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094487596.00000000057F0000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: E:\Hacking\njrat 0.7d Private Edition\Edited Stub SRC\j\obj\Debug\Rrr.pdb source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly.Load(byte[]) |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs |
.Net Code: Rya249 System.AppDomain.Load(byte[]) |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs |
.Net Code: checkifdotnet System.Reflection.Assembly.Load(byte[]) |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57e0000.2.raw.unpack, Module1.cs |
.Net Code: Main System.AppDomain.Load(byte[]) |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, OK.cs |
.Net Code: Plugin System.Reflection.Assembly.Load(byte[]) |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, Module1.cs |
.Net Code: Main System.AppDomain.Load(byte[]) |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Static PE information: section name: .text entropy: 7.56568122650443 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Memory allocated: 1470000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Memory allocated: 31D0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Memory allocated: 1470000 memory commit | memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Window / User API: threadDelayed 1839 |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Window / User API: threadDelayed 8131 |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Window / User API: foregroundWindowGot 1772 |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe TID: 6592 |
Thread sleep time: -1839000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe TID: 6592 |
Thread sleep time: -8131000s >= -30000s |
Jump to behavior |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4092491974.0000000001236000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll <add name="AspNetSqlProfileProvider" connectionStringName="LocalSqlServer" applicationName="/" type="System.Web.Profile.SqlProfileProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, OK.cs |
Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100) |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs |
Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead) |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs |
Reference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64) |
Source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.57f0000.3.raw.unpack, Rahoz.cs |
Reference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead) |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000035F4000.00000004.00000800.00020000.00000000.sdmp, 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.0000000003259000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.00000000035F4000.00000004.00000800.00020000.00000000.sdmp, 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe, 00000000.00000002.4093017594.0000000003259000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager@9 |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: C:\Users\user\Desktop\6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe |
WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe PID: 6560, type: MEMORYSTR |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.5810000.4.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31dc00c.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe.31e29f4.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.4094507216.0000000005810000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4093017594.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exe PID: 6560, type: MEMORYSTR |