Source: 00000000.00000002.3695298170.0000000002601000.00000004.00000800.00020000.00000000.sdmp |
Malware Configuration Extractor: Njrat {"Host": "seznam.zapto.org", "Port": "5050", "Campaign ID": "NYAN CAT", "Network Seprator": "@!#&^%$", "Registry": "76c8ec7d474b4123895"} |
Source: mS9Dzx612m.exe |
ReversingLabs: Detection: 60% |
Source: Yara match |
File source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.mS9Dzx612m.exe.25b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3695175238.00000000025B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3695298170.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: mS9Dzx612m.exe PID: 7604, type: MEMORYSTR |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: mS9Dzx612m.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: mS9Dzx612m.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: global traffic |
TCP traffic: 192.168.2.10:49700 -> 34.102.5.126:5050 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: seznam.zapto.org |
Source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, Keylogger.cs |
.Net Code: VKCodeToUnicode |
Source: Yara match |
File source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.mS9Dzx612m.exe.25b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3695175238.00000000025B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3695298170.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: mS9Dzx612m.exe PID: 7604, type: MEMORYSTR |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process Stats: CPU usage > 49% |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Code function: 0_2_00B188D0 |
0_2_00B188D0 |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Code function: 0_2_00B197C0 |
0_2_00B197C0 |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Code function: 0_2_00B1D290 |
0_2_00B1D290 |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Code function: 0_2_025DD320 |
0_2_025DD320 |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Code function: 0_2_025D5920 |
0_2_025D5920 |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Code function: 0_2_025D3C68 |
0_2_025D3C68 |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Code function: 0_2_025D8752 |
0_2_025D8752 |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Code function: 0_2_025D383C |
0_2_025D383C |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Code function: 0_2_025D6950 |
0_2_025D6950 |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Code function: 0_2_05953BA0 |
0_2_05953BA0 |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Code function: 0_2_05956350 |
0_2_05956350 |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Code function: 0_2_059532B0 |
0_2_059532B0 |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Code function: 0_2_05952F60 |
0_2_05952F60 |
Source: mS9Dzx612m.exe, 00000000.00000002.3693713699.000000000062E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs mS9Dzx612m.exe |
Source: mS9Dzx612m.exe, 00000000.00000002.3695175238.00000000025B0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenamenyan.exe4 vs mS9Dzx612m.exe |
Source: mS9Dzx612m.exe, 00000000.00000002.3693424640.0000000000537000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameUNKNOWN_FILET vs mS9Dzx612m.exe |
Source: mS9Dzx612m.exe, 00000000.00000000.1233167583.0000000000144000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameAMD VERSION.exe8 vs mS9Dzx612m.exe |
Source: mS9Dzx612m.exe |
Binary or memory string: OriginalFilenameAMD VERSION.exe8 vs mS9Dzx612m.exe |
Source: mS9Dzx612m.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: mS9Dzx612m.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: mS9Dzx612m.exe, b.cs |
Cryptographic APIs: 'CreateDecryptor' |
Source: mS9Dzx612m.exe, a.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: classification engine |
Classification label: mal92.troj.spyw.evad.winEXE@1/0@1/1 |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Mutant created: \Sessions\1\BaseNamedObjects\76c8ec7d474b4123895 |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Mutant created: NULL |
Source: mS9Dzx612m.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: mS9Dzx612m.exe |
Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83% |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: mS9Dzx612m.exe |
ReversingLabs: Detection: 60% |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: avicap32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: msvfw32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 |
Jump to behavior |
Source: mS9Dzx612m.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: mS9Dzx612m.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: mS9Dzx612m.exe, b.cs |
.Net Code: a System.AppDomain.Load(byte[]) |
Source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, Program.cs |
.Net Code: Plugin System.Reflection.Assembly.Load(byte[]) |
Source: mS9Dzx612m.exe |
Static PE information: section name: .text entropy: 7.693729863412956 |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Memory allocated: B10000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Memory allocated: 2600000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Memory allocated: 2460000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Window / User API: threadDelayed 495 |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Window / User API: threadDelayed 3828 |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Window / User API: threadDelayed 5185 |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Window / User API: foregroundWindowGot 1765 |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe TID: 7608 |
Thread sleep count: 495 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe TID: 7608 |
Thread sleep time: -495000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe TID: 8096 |
Thread sleep count: 3828 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe TID: 7608 |
Thread sleep count: 5185 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe TID: 7608 |
Thread sleep time: -5185000s >= -30000s |
Jump to behavior |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, Program.cs |
Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, cbName, ref lpszVer, 100) |
Source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, Keylogger.cs |
Reference to suspicious API methods: MapVirtualKey(a, 0u) |
Source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, Keylogger.cs |
Reference to suspicious API methods: GetAsyncKeyState(num2) |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager]B |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager' |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerKq |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManageraB |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerAB |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp, mS9Dzx612m.exe, 00000000.00000002.3695298170.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManageruB |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerO |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManageryB |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerYB |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager7 |
Source: mS9Dzx612m.exe, 00000000.00000002.3695298170.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, mS9Dzx612m.exe, 00000000.00000002.3695298170.0000000002667000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Managerx |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager1B |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager1 |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagereB |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005840000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager? |
Source: mS9Dzx612m.exe, 00000000.00000002.3696883668.0000000005879000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager!Bg |
Source: mS9Dzx612m.exe, 00000000.00000002.3695298170.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, mS9Dzx612m.exe, 00000000.00000002.3695298170.0000000002667000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager@\ |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Queries volume information: C:\Users\user\Desktop\mS9Dzx612m.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\mS9Dzx612m.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.mS9Dzx612m.exe.25b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3695175238.00000000025B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3695298170.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: mS9Dzx612m.exe PID: 7604, type: MEMORYSTR |
Source: Yara match |
File source: 0.2.mS9Dzx612m.exe.25b0000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.mS9Dzx612m.exe.25b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.3695175238.00000000025B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.3695298170.0000000002601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: mS9Dzx612m.exe PID: 7604, type: MEMORYSTR |