Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://breaking-security.net/terms |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://breaking-security.net/termsopenU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://breakingsec02.co.nf/Remcos/logaccess.php?DATA= |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://breakingsec02.co.nf/Remcos/upd_free.txtU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://www.geoplugin.net |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://www.geoplugin.net/json.gp?ip= |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: http://www.geoplugin.netU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1349983964.0000000004BBB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://Breaking-Security.net |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1348743141.0000000004888000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://Breaking-Security.netpf |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/clientarea/support |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/clientarea/supportopenU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/contact |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/contactopenU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/forum |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/forumopenU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/keylogger |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/keyloggeropenU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/meteorite-downloader |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/meteorite-downloaderopenU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/octopus |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/octopusopenU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/poseidon |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/poseidonopenU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/remcos |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/remcos/changelog |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/remcos/changelogopenCongratulations |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/remcos/manual |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/remcos/manualopenU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/remcosopenU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/shop/remcos/ |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/shop/remcos/open |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/source-codes/delphisources |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/source-codes/delphisourcesopenU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/terms |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/termsopenU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/viotto-binder |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.net/viotto-binderopenU |
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp |
String found in binary or memory: https://breaking-security.netopenU |
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE |
Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE |
Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE |
Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE |
Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen |
Source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown |
Source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE |
Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE |
Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi |
Source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04 |
Source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: unknown |
Process created: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe "C:\Users\user\Desktop\LisectAVT_2403002A_348.exe" |
|
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process created: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe "C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe" |
|
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:/Users/user/Desktop/LisectAVT_2403002A_348.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\user~1\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f |
|
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process created: C:\Users\user\AppData\Local\Temp\taskhost.exe "C:\Users\user~1\AppData\Local\Temp\taskhost.exe" |
|
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE |
|
Source: C:\Windows\SysWOW64\netsh.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process created: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe "C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:/Users/user/Desktop/LisectAVT_2403002A_348.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\user~1\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: dfddccccccccccccccccccccccccccccccccccccccccccccccccccccddddfll.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: dfddccccccccccccccccccccccccccccccccccccccccccccccccccccddddfll.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: dfddccccccccccccccccccccccccccccccccccccccccccccccccccccddddfll.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: linkinfo.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: ntshrui.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: cscapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: dfddccccccccccccccccccccccccccccccccccccccccccccccccccccddddfll.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: wtsapi32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: riched20.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: usp10.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: dataexchange.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: d3d11.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: dcomp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: dxgi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: twinapi.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: avicap32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: msvfw32.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: ifmon.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: mprapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: rasmontr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: rasapi32.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: rasman.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: mfc42u.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: rasman.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: authfwcfg.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: fwpolicyiomgr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: firewallapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: fwbase.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: dhcpcmonitor.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: dot3cfg.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: dot3api.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: onex.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: eappcfg.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: eappprxy.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: fwcfg.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: hnetmon.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: netshell.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: netsetupapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: netiohlp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: nshhttp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: httpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: nshipsec.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: activeds.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: polstore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: winipsec.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: adsldpc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: adsldpc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: nshwfp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: cabinet.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: p2pnetsh.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: p2p.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: rpcnsh.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: whhelper.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: wlancfg.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: wlanapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: wshelper.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: wevtapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: peerdistsh.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: wcmapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: rmclient.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: mobilenetworking.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: ktmw32.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: mprmsg.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
RDTSC instruction interceptor: First address: 18896CF second address: 18896E8 instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 dec dl 0x00000006 not cl 0x00000008 sub cl, FFFFFF82h 0x0000000b sub dx, di 0x0000000e bsr edx, esp 0x00000011 xor bl, cl 0x00000013 dec ax 0x00000016 sal eax, FFFFFFE6h 0x00000019 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
RDTSC instruction interceptor: First address: 1963009 second address: 1846175 instructions: 0x00000000 rdtsc 0x00000002 adc ax, si 0x00000005 jmp 00007F927CBB3D8Ah 0x0000000a movzx ecx, byte ptr [edi] 0x0000000d btc ax, FFE7h 0x00000012 clc 0x00000013 xor cl, bl 0x00000015 xchg ax, dx 0x00000017 sal dh, cl 0x00000019 add cl, FFFFFFE2h 0x0000001c sar edx, 29h 0x0000001f adc eax, 4AD259B5h 0x00000024 xor cl, 0000001Fh 0x00000027 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
RDTSC instruction interceptor: First address: 18C994F second address: 18C995A instructions: 0x00000000 rdtsc 0x00000002 not cl 0x00000004 bt ax, 0032h 0x00000009 add eax, ebp 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
RDTSC instruction interceptor: First address: 18C995A second address: 18C997C instructions: 0x00000000 rdtsc 0x00000002 xor cl, 00000051h 0x00000005 shl al, FFFFFF88h 0x00000008 movsx dx, ch 0x0000000c cdq 0x0000000d neg cl 0x0000000f btc ax, dx 0x00000013 ror eax, 3Ah 0x00000016 not cl 0x00000018 ror dx, cl 0x0000001b movzx edx, di 0x0000001e ror cl, 1 0x00000020 xor bl, cl 0x00000022 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
RDTSC instruction interceptor: First address: 1505987 second address: 1505992 instructions: 0x00000000 rdtsc 0x00000002 not cl 0x00000004 bt ax, 0032h 0x00000009 add eax, ebp 0x0000000b rdtsc |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
RDTSC instruction interceptor: First address: 1505992 second address: 15059B4 instructions: 0x00000000 rdtsc 0x00000002 xor cl, 00000051h 0x00000005 shl al, FFFFFF88h 0x00000008 movsx dx, ch 0x0000000c cdq 0x0000000d neg cl 0x0000000f btc ax, dx 0x00000013 ror eax, 3Ah 0x00000016 not cl 0x00000018 ror dx, cl 0x0000001b movzx edx, di 0x0000001e ror cl, 1 0x00000020 xor bl, cl 0x00000022 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
RDTSC instruction interceptor: First address: 1129138 second address: 129ECD3 instructions: 0x00000000 rdtsc 0x00000002 sub edi, 00000008h 0x00000008 test dh, dl 0x0000000a mov dword ptr [edi], edx 0x0000000c mov dword ptr [edi+04h], eax 0x0000000f adc ax, 000072BAh 0x00000013 mov eax, dword ptr [esi] 0x00000015 lea esi, dword ptr [esi+00000004h] 0x0000001b clc 0x0000001c xor eax, ebx 0x0000001e ror eax, 03h 0x00000021 jmp 00007F927D1CD0D0h 0x00000026 bswap eax 0x00000028 inc eax 0x00000029 test ebp, 079613ADh 0x0000002f neg eax 0x00000031 sub eax, 26BE4558h 0x00000036 jmp 00007F927D4A81DCh 0x0000003b xor ebx, eax 0x0000003d cmp dx, 19C7h 0x00000042 add ebp, eax 0x00000044 jmp 00007F927CD1781Ah 0x00000049 jmp 00007F927CDC647Ch 0x0000004e lea eax, dword ptr [esp+60h] 0x00000052 jmp 00007F927D0AD33Ah 0x00000057 cmp edi, eax 0x00000059 jmp 00007F927D9CF74Fh 0x0000005e ja 00007F927CA9C65Fh 0x00000064 push ebp 0x00000065 ret 0x00000066 mov ecx, dword ptr [edi] 0x00000068 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
RDTSC instruction interceptor: First address: F77410 second address: F77429 instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 dec dl 0x00000006 not cl 0x00000008 sub cl, FFFFFF82h 0x0000000b sub dx, di 0x0000000e bsr edx, esp 0x00000011 xor bl, cl 0x00000013 dec ax 0x00000016 sal eax, FFFFFFE6h 0x00000019 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
RDTSC instruction interceptor: First address: 76762B second address: F523BB instructions: 0x00000000 rdtsc 0x00000002 adc ax, si 0x00000005 jmp 00007F927D9B3A9Eh 0x0000000a movzx ecx, byte ptr [edi] 0x0000000d btc ax, FFE7h 0x00000012 clc 0x00000013 xor cl, bl 0x00000015 xchg ax, dx 0x00000017 sal dh, cl 0x00000019 add cl, FFFFFFE2h 0x0000001c sar edx, 29h 0x0000001f adc eax, 4AD259B5h 0x00000024 xor cl, 0000001Fh 0x00000027 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
RDTSC instruction interceptor: First address: 11CEBCC second address: 1247CD7 instructions: 0x00000000 rdtsc 0x00000002 sar al, 00000034h 0x00000005 rol al, cl 0x00000007 mov eax, dword ptr [esp+ecx] 0x0000000a rol dh, cl 0x0000000c lea esi, dword ptr [esi-00000004h] 0x00000012 bts dx, cx 0x00000016 mov dword ptr [esi], eax 0x00000018 lea ebp, dword ptr [ebp-00000004h] 0x0000001e rcr edx, cl 0x00000020 mov edx, dword ptr [ebp+00h] 0x00000024 xor edx, ebx 0x00000026 test edi, 4C1D4763h 0x0000002c cmc 0x0000002d cmp al, CEh 0x0000002f neg edx 0x00000031 sub edx, 16B2299Dh 0x00000037 stc 0x00000038 cmc 0x00000039 clc 0x0000003a ror edx, 02h 0x0000003d stc 0x0000003e clc 0x0000003f bswap edx 0x00000041 cmp bp, 3AA2h 0x00000046 xor ebx, edx 0x00000048 cmp ah, ah 0x0000004a clc 0x0000004b add edi, edx 0x0000004d jmp 00007F927CA55644h 0x00000052 lea edx, dword ptr [esp+60h] 0x00000056 cmp di, sp 0x00000059 test si, 1D39h 0x0000005e cmp esi, edx 0x00000060 jmp 00007F927C97B36Fh 0x00000065 ja 00007F927CB1EAA7h 0x0000006b jmp edi 0x0000006d sub ebp, 00000001h 0x00000073 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe |
RDTSC instruction interceptor: First address: 11B801E second address: 1268E07 instructions: 0x00000000 rdtsc 0x00000002 sub esi, 00000008h 0x00000008 cmp ebx, edi 0x0000000a mov dword ptr [esi], edx 0x0000000c test edi, esi 0x0000000e mov dword ptr [esi+04h], eax 0x00000011 and eax, edi 0x00000013 stc 0x00000014 sub ebp, 00000004h 0x0000001a mov eax, dword ptr [ebp+00h] 0x0000001e stc 0x0000001f xor eax, ebx 0x00000021 cmc 0x00000022 jmp 00007F927CF844FCh 0x00000027 ror eax, 02h 0x0000002a clc 0x0000002b cmp bl, 00000052h 0x0000002e sub eax, 7802521Eh 0x00000033 ror eax, 1 0x00000035 cmp esi, eax 0x00000037 sub eax, 07845C0Bh 0x0000003c xor ebx, eax 0x0000003e stc 0x0000003f add edi, eax 0x00000041 jmp 00007F927D23D09Ch 0x00000046 jmp 00007F927CDD78AEh 0x0000004b lea eax, dword ptr [esp+60h] 0x0000004f cmp sp, 6C62h 0x00000054 cmc 0x00000055 stc 0x00000056 cmp esi, eax 0x00000058 jmp 00007F927D0596F4h 0x0000005d ja 00007F927D681274h 0x00000063 jmp edi 0x00000065 mov ecx, dword ptr [esi] 0x00000067 cmc 0x00000068 or dl, 0000002Ah 0x0000006b rdtsc |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\taskhost.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |