Source: strategy-mls.gl.at.ply.gg:24195 |
Avira URL Cloud: Label: malware |
Source: 00000000.00000002.4132410960.0000000003462000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: Njrat {"Host": "strategy-mls.gl.at.ply.gg:24195", "Campaign ID": "HacKed by s6_y", "Install Name": "ocuALPV2c7.exe", "Install Dir": "Desktop"} |
Source: ocuALPV2c7.exe |
ReversingLabs: Detection: 86% |
Source: Yara match |
File source: 00000000.00000002.4132410960.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ocuALPV2c7.exe PID: 6960, type: MEMORYSTR |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: ocuALPV2c7.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: ocuALPV2c7.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File opened: C:\Users\user\AppData\Roaming |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows |
Jump to behavior |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49730 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49730 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49730 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49737 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49737 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49737 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49738 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2825563 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (inf) 192.168.2.4:49738 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49738 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49740 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49740 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49741 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49741 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49742 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49742 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49743 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49743 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49744 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49744 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49745 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49745 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49746 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49746 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49747 -> 147.185.221.19:24195 |
Source: Traffic |
Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49747 -> 147.185.221.19:24195 |
Source: Malware configuration extractor |
URLs: strategy-mls.gl.at.ply.gg:24195 |
Source: global traffic |
TCP traffic: 147.185.221.19 ports 1,2,24195,4,5,9 |
Source: global traffic |
TCP traffic: 192.168.2.4:49730 -> 147.185.221.19:24195 |
Source: Joe Sandbox View |
IP Address: 147.185.221.19 147.185.221.19 |
Source: Joe Sandbox View |
ASN Name: SALSGIVERUS SALSGIVERUS |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: strategy-mls.gl.at.ply.gg |
Source: ocuALPV2c7.exe, 00000000.00000002.4132410960.0000000003221000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: ocuALPV2c7.exe |
String found in binary or memory: https://gg.ylp.ta.lg.slm-ygetarts |
Source: Yara match |
File source: 00000000.00000002.4132410960.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ocuALPV2c7.exe PID: 6960, type: MEMORYSTR |
Source: ocuALPV2c7.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: ocuALPV2c7.exe, type: SAMPLE |
Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: ocuALPV2c7.exe, type: SAMPLE |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: ocuALPV2c7.exe, type: SAMPLE |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: ocuALPV2c7.exe, type: SAMPLE |
Matched rule: Detects executables using attrib with suspicious attributes attributes Author: ditekSHen |
Source: ocuALPV2c7.exe, type: SAMPLE |
Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen |
Source: 0.0.ocuALPV2c7.exe.d20000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 0.0.ocuALPV2c7.exe.d20000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: 0.0.ocuALPV2c7.exe.d20000.0.unpack, type: UNPACKEDPE |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 0.0.ocuALPV2c7.exe.d20000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 0.0.ocuALPV2c7.exe.d20000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables using attrib with suspicious attributes attributes Author: ditekSHen |
Source: 0.0.ocuALPV2c7.exe.d20000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen |
Source: 00000000.00000000.1680626393.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 00000000.00000000.1680626393.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000000.1680626393.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Process Memory Space: ocuALPV2c7.exe PID: 6960, type: MEMORYSTR |
Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process Stats: CPU usage > 49% |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Code function: 0_2_01632F38 |
0_2_01632F38 |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Code function: 0_2_01631250 |
0_2_01631250 |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Code function: 0_2_01633530 |
0_2_01633530 |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Code function: 0_2_01631240 |
0_2_01631240 |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Code function: 0_2_05FDAD11 |
0_2_05FDAD11 |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Code function: 0_2_05FD238C |
0_2_05FD238C |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Code function: 0_2_05FD3C30 |
0_2_05FD3C30 |
Source: ocuALPV2c7.exe, 00000000.00000002.4131708303.000000000135E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs ocuALPV2c7.exe |
Source: ocuALPV2c7.exe, 00000000.00000002.4131471778.00000000010F7000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameUNKNOWN_FILET vs ocuALPV2c7.exe |
Source: ocuALPV2c7.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: ocuALPV2c7.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: ocuALPV2c7.exe, type: SAMPLE |
Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: ocuALPV2c7.exe, type: SAMPLE |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: ocuALPV2c7.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: ocuALPV2c7.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_attrib author = ditekSHen, description = Detects executables using attrib with suspicious attributes attributes |
Source: ocuALPV2c7.exe, type: SAMPLE |
Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi |
Source: 0.0.ocuALPV2c7.exe.d20000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 0.0.ocuALPV2c7.exe.d20000.0.unpack, type: UNPACKEDPE |
Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.0.ocuALPV2c7.exe.d20000.0.unpack, type: UNPACKEDPE |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: 0.0.ocuALPV2c7.exe.d20000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 0.0.ocuALPV2c7.exe.d20000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_attrib author = ditekSHen, description = Detects executables using attrib with suspicious attributes attributes |
Source: 0.0.ocuALPV2c7.exe.d20000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi |
Source: 00000000.00000000.1680626393.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 00000000.00000000.1680626393.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: 00000000.00000000.1680626393.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: Process Memory Space: ocuALPV2c7.exe PID: 6960, type: MEMORYSTR |
Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: classification engine |
Classification label: mal100.phis.troj.evad.winEXE@1/2@1/1 |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Mutant created: NULL |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Windows |
Source: ocuALPV2c7.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: ocuALPV2c7.exe |
Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80% |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: ocuALPV2c7.exe |
ReversingLabs: Detection: 86% |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: avicap32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: msvfw32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 |
Jump to behavior |
Source: ocuALPV2c7.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: ocuALPV2c7.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: ocuALPV2c7.exe, L.cs |
.Net Code: Plugin System.Reflection.Assembly.Load(byte[]) |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Memory allocated: 15D0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Memory allocated: 3220000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Memory allocated: 2FF0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Window / User API: threadDelayed 436 |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Window / User API: threadDelayed 9550 |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Window / User API: foregroundWindowGot 1775 |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe TID: 6964 |
Thread sleep count: 436 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe TID: 6964 |
Thread sleep time: -436000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe TID: 6964 |
Thread sleep count: 9550 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe TID: 6964 |
Thread sleep time: -9550000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File opened: C:\Users\user\AppData\Roaming |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows |
Jump to behavior |
Source: ocuALPV2c7.exe, 00000000.00000002.4131708303.00000000013F1000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw&Q |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: ocuALPV2c7.exe, 00000000.00000002.4132410960.0000000003221000.00000004.00000800.00020000.00000000.sdmp, ocuALPV2c7.exe, 00000000.00000002.4132410960.00000000035EA000.00000004.00000800.00020000.00000000.sdmp, ocuALPV2c7.exe, 00000000.00000002.4132410960.0000000003462000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager@\^q |
Source: ocuALPV2c7.exe, 00000000.00000002.4132410960.0000000003221000.00000004.00000800.00020000.00000000.sdmp, ocuALPV2c7.exe, 00000000.00000002.4132410960.0000000003462000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager( |
Source: ocuALPV2c7.exe, 00000000.00000002.4132410960.0000000003221000.00000004.00000800.00020000.00000000.sdmp, ocuALPV2c7.exe, 00000000.00000002.4132410960.00000000035EA000.00000004.00000800.00020000.00000000.sdmp, ocuALPV2c7.exe, 00000000.00000002.4131708303.00000000013F1000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: ocuALPV2c7.exe, 00000000.00000002.4131708303.00000000013F1000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerpK |
Source: ocuALPV2c7.exe, 00000000.00000002.4131708303.00000000013F1000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagertK |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\Users\user\Desktop\ocuALPV2c7.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ocuALPV2c7.exe |
Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000002.4132410960.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ocuALPV2c7.exe PID: 6960, type: MEMORYSTR |
Source: Yara match |
File source: 00000000.00000002.4132410960.0000000003221000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: ocuALPV2c7.exe PID: 6960, type: MEMORYSTR |