Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.9% probability |
Source: gjsdk.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49731 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49731 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49731 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49731 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49732 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49732 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49733 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49733 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49734 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49734 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49736 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49736 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49741 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49741 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49743 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49743 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49744 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49744 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49745 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49745 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49773 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49773 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49953 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49953 |
Source: global traffic |
TCP traffic: 192.168.2.4:49730 -> 45.151.62.65:8082 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: Mkj9i1IGcuFLi6pPiAlmsQ==Sec-WebSocket-Version: 13Upgrade: websocket |
Source: global traffic |
HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: GF7zLiydRprawdcGTIIheg==Sec-WebSocket-Version: 13Upgrade: websocket |
Source: global traffic |
HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: OUx2ht0WNPJoXjDZ6u3e2w==Sec-WebSocket-Version: 13Upgrade: websocket |
Source: global traffic |
HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: iEPpNfUCMB4KPKjaL5VSPQ==Sec-WebSocket-Version: 13Upgrade: websocket |
Source: global traffic |
HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: +Z+9VSkuyjpvQkVrx8MhxQ==Sec-WebSocket-Version: 13Upgrade: websocket |
Source: global traffic |
HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: C0P5MvCyAeBMUwbVkkAe/w==Sec-WebSocket-Version: 13Upgrade: websocket |
Source: global traffic |
HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: myJxkJJ4oaSedrcwhxGnjA==Sec-WebSocket-Version: 13Upgrade: websocket |
Source: global traffic |
HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: fiJuZ0206DDY4XC9dWnhuA==Sec-WebSocket-Version: 13Upgrade: websocket |
Source: global traffic |
HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: 7eYFrZDFqk4ipCw7Av6AyA==Sec-WebSocket-Version: 13Upgrade: websocket |
Source: global traffic |
HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: FH2w5nqUvChS0FqylUd82g==Sec-WebSocket-Version: 13Upgrade: websocket |
Source: global traffic |
HTTP traffic detected: GET /7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfkyu3R5Q-hjDLQ== HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Accept-Encoding: gzip |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Host: 45.151.62.65:8082User-Agent: Go-http-client/1.1Connection: UpgradeSec-WebSocket-Key: V0fRj4PL+mkXO4y7UJYUpw==Sec-WebSocket-Version: 13Upgrade: websocket |
Source: global traffic |
DNS traffic detected: DNS query: c4h10o.autos |
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000080000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: ftp://192.168.2.47 |
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000008000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://%s:%d/%sHTTP/1.1 |
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://%s:%d/%sbg-hi-bluebg-hi-magentabg-hi-cyanHTTP/1.1 |
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://.css |
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://.jpg |
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000080000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://45.151.62.65:8082/7FBE8Vhw_Ej3wyS05Pj-_OcuPl34HeR5tlGYDglketqIsLl6CwLCyB374ln1tVW7ajwzELAFfky |
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000300000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2963616316.000000C0008C6000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://html4/loose.dtd |
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000124000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DC000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/old_passwords |
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C00060A000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md |
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000222000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0000F2000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signature |
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000110000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002DE000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureNAME: |
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C0000F2000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md#deprecated-cli-app-action-signatureeyJhbGc |
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.mdMust |
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C00060A000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/urfave/cli/blob/main/docs/CHANGELOG.mdThe |
Source: mmzwi.exe, 00000002.00000002.2963616316.000000C0008AE000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C000162000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://lockn1t3.xyz |
Source: mmzwi.exe, 00000002.00000002.2962140246.000000C0005D2000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://lockn1t3.xyz--09AZ__azMMZWIODFMQ2GGOJRGRTGIM3GMY4TOYRVHBQTQZRSMZRDQNLEMVSWOZLDNNXQ |
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000162000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://lockn1t3.xyz00:11:22:33:44:5500:11:22:33:44:5500:11:22:33:44:5500:11:22:33:44:5500:11:22:33: |
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C0005D0000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://lockn1t3.xyzMMZWIODFMQ2GGOJRGRTGIM3GMY4TOYRVHBQTQZRSMZRDQNLEMVSWOZLDNNXQMMZWIODFMQ2GGOJRGRTG |
Source: mmzwi.exe, 00000002.00000002.2963616316.000000C000904000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://lockn1t3.xyzocelot.jython27.xyztiger.jython27.xyz00:11:22:33:44:55cecreate |
Source: gjsdk.exe, 00000000.00000002.1748840323.000000C0005D0000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://lockn1t3.xyzsizeof(rtype) |
Source: C:\Users\user\Desktop\gjsdk.exe |
File created: C:\Windows\AppReadiness\.840809828.tmp |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
File created: C:\Windows\AppReadiness\.209553492.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal52.troj.evad.winEXE@4/0@1/1 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7508:120:WilError_03 |
Source: C:\Users\user\Desktop\gjsdk.exe |
File opened: C:\Windows\system32\43cf6327ee4e9a51c1f22496118c7b5e2d1b5bb7f55e4e915b3b63d138789748AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
File opened: C:\Windows\system32\43d042447d465d96d1e34aed23508a3def79fdfb21cfe1f197319fae4deb3fb0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Jump to behavior |
Source: C:\Users\user\Desktop\gjsdk.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger'); |
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0; |
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q); |
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C0002CA000.00000004.00001000.00020000.00000000.sdmp, mmzwi.exe, 00000002.00000002.2959142621.000000C0002AC000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode); |
Source: C:\Users\user\Desktop\gjsdk.exe |
File read: C:\Users\user\Desktop\gjsdk.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\gjsdk.exe "C:\Users\user\Desktop\gjsdk.exe" |
Source: C:\Users\user\Desktop\gjsdk.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: unknown |
Process created: C:\Windows\AppReadiness\mmzwi.exe C:\Windows\AppReadiness\mmzwi.exe |
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager |
Source: C:\Users\user\Desktop\gjsdk.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\gjsdk.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\gjsdk.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\gjsdk.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: samcli.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: samlib.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: licensemanagersvc.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: licensemanager.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: clipc.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: gjsdk.exe |
Static file information: File size 12120576 > 1048576 |
Source: gjsdk.exe |
Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0xb8ee00 |
Source: gjsdk.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: gjsdk.exe |
Static PE information: section name: UPX2 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: unknown |
Executable created and started: C:\Windows\AppReadiness\mmzwi.exe |
Source: C:\Users\user\Desktop\gjsdk.exe |
PE file moved: C:\Windows\AppReadiness\mmzwi.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\gjsdk.exe |
Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\partmgr |
Jump to behavior |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49731 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49731 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49731 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49731 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49732 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49732 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49733 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49733 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49734 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49734 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49736 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49736 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49741 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49741 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49743 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49743 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49744 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49744 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49745 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49745 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49773 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49773 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49730 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49953 -> 8082 |
Source: unknown |
Network traffic detected: HTTP traffic on port 8082 -> 49953 |
Source: C:\Users\user\Desktop\gjsdk.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: gjsdk.exe, 00000000.00000002.1747251241.000000C000160000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: KVMKVMKVMKVMGetFileTimeGetFileTypeMicrosoft HvFORMAIFFGetFullPathNameWGetLastErrorGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassGetProcAddressGetProcessIdFORMAIFFVMwareVMwareGetProcessTimesXenVMMXenVMMbhyve bhyve GetStartupInfoWaudio/ai |
Source: mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp |
Binary or memory string: <br/></ul>tbodytheadtfootstdinwhoisIPSecimap4rsyncsteamSkypeWhoIsNETSCXeroxMAILQVMNETUnifybhfhsFXP-1bhmdsVSLMPRTSPSbh611decapOnmuxArielSMPTEdsfgwalpesSMTPSss7nsaviandantzxvttpsnaretalkdripnguucpdkrcmdchcmddemonsonarVEMMIginadRUSHDnetGWrfilephoneKIOSKJSTELOBRPDROOTDIPCD3HuskyRxMonFTSRVMIMERBytexShiva3l-l1WinDDMSIMSradiocvmoncnhrpcft-0cft-1cft-2cft-3cft-4cft-5cft-6cft-7helloMMPFTSPICESlushCacheglobetroffrimslDSATPNETMLSNAPPdbrefRSMTPOrionvenusTOP/XTSILBspockWillyWinDbIPASSbruceSolveSonuswkarsqotpsAlarmUADTCaurisAISESaaftprmlnkPDnetREBOLqsoftICPv24TalkPlatoE-NetMySQLBBARSCSMS2jt400MS-LAITOSESariseMuleMCNTPA1-BSICMPDCVSupSSDTPProEdCDDBPWebSMqueuepokerIRISAHivePTrackBINKPquakeKuangyamux[E]: /hostES256ES384ES512EdDSAHS256HS384HS512RS256RS384RS512PS256PS384PS512%s=%qc(%s) |
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: IDEAFARM-CATCH / NetDevil trojanVMware Authentication Daemon |
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000368000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: VMware Web Access |
Source: gjsdk.exe, 00000000.00000002.1742065604.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000001.1731920546.00000000024DE000.00000040.00000001.01000000.00000005.sdmp |
Binary or memory string: QeMUY6J |
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C000394000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: VMware Authentication Daemon / IDEAFARM-CHAT |
Source: gjsdk.exe, 00000000.00000002.1742065604.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp, mmzwi.exe, 00000002.00000001.1731920546.00000000024BF000.00000040.00000001.01000000.00000005.sdmp |
Binary or memory string: ijfV6o2HGfS |
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C0002CC000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: places.sqliteplaces.sqliteClearCommError192.168.2.203192.168.2.204CloseHandleplaces.sqliteextensions.jsonConnectNamedPipeCreateDirectoryWCreateEventExWCreateEventWCreateFileWCreateHardLinkWCreateJobObjectWunsupported itemunsupported itemCreateMutexExWCreateMutexWparse error192.168.2.205CreateNamedPipeWCreatePipeCreateProcessW192.168.2.206192.168.2.207192.168.2.208AMDisbetter!DefineDosDeviceWDeleteFileWDeviceIoControlAuthenticAMDCentaurHaulsGenuineIntel192.168.2.209DuplicateHandleExitProcessFindCloseFindFirstFileWFindFirstVolumeWFindNextFileWFindNextVolumeWFindResourceWFindVolumeCloseFlushFileBuffersFlushViewOfFileFormatMessageWFreeLibraryGetCommStateGetCommTimeoutsGetCommandLineW192.168.2.210TransmetaCPUGetComputerNameW192.168.2.211192.168.2.212GetConsoleCPGetConsoleModeGenuineTMx86Geode by NSCVIA VIA VIA 192.168.2.213192.168.2.214KVMKVMKVMKVMGetDriveTypeWMicrosoft Hv192.168.2.215GetFileTimeGetFileType192.168.2.216VMwareVMwareGetFullPathNameWGetLastErrorGetLogicalDrivesGetLongPathNameWGetNamedPipeInfoGetPriorityClassGetProcAddressGetProcessIdXenVMMXenVMMbhyve bhyve GetProcessTimes192.168.2.217192.168.2.218GetStartupInfoWHygonGenuineVortex86 SoCGetStdHandleSiS SiS SiS 192.168.2.219GetTempPathWGetTickCount64192.168.2.220RiseRiseRiseGetVersionGenuine RDC192.168.2.221192.168.2.222192.168.2.223192.168.2.224192.168.2.225IsWow64ProcessIsWow64Process2LoadLibraryExW192.168.2.226192.168.2.227LoadLibraryWLoadResourceLocalAllocLocalFreeLockFileExLockResourceMapViewOfFile192.168.2.228192.168.2.229Module32FirstW192.168.2.230192.168.2.231Module32NextW192.168.2.232192.168.2.233MoveFileExWGenuineIntel192.168.2.234MoveFileWOpenEventW192.168.2.235192.168.2.236OpenMutexWOpenProcessOpenThread192.168.2.237192.168.2.238Process32FirstWProcess32NextWPulseEventPurgeComm192.168.2.239Did you mean %q?QueryDosDeviceWReadConsReadFile ,,ReadConsoleWReleaseMutexW192.168.2.240192.168.2.241RemoveDirectoryWResetEventResumeThreadSetCommBreakSetCommMask192.168.2.242192.168.2.243SetCommStateshow help]192.168.2.244SetCommTimeoutsSetConsoleCPSetConsoleMode192.168.2.245[command]192.168.2.246192.168.2.247SetDllDirectoryW[command]192.168.2.248SetEndOfFileSetEnvirSetEvent192.168.2.249SetErrorModetestdata/fuzz |
Source: mmzwi.exe, 00000002.00000002.2955357792.0000000002441000.00000040.00000001.01000000.00000005.sdmp |
Binary or memory string: rlogindhcpv6vmwareradiuscpanelTelnetNI FTPGophervettcpFingerSUPDUPISO-IPJargonXyplexDirectrescapZannetHassleUTMPSDUTMPCDcomscmskronkMondexulpnetISAKMPPassGogdomapwhoamiudemonrepcmdSANityAminetRepCmdSun DRMeCommAgentXnloginquotadomservsubmitentombwpagesdevicevsinetmaitrdbusboynimregCARDAXPROOFDMurrayDNS2Gohermesudt_osDBStarTabulaPEportrfx-lmoracleisi-lm3ds-lmsna-csorbixdontimekermitrrirtrrrimwmrrilwmrrifmmrrisatcentraimperacaicciwinddxroketzproximencorepsmondRADIUSMyrtlecsoft1TALNETarmadptekplsmpnjscUniSQLsearchcdfuncsdfuncNBX CCNBX AUComcamAVENUEDOCENTRECIPeCVMMONpehelpsdhelpfcmsysFutrixWusageG-TalkGROOVEBMC ARDIRGISfjmpssREFTEKlabratDeliboCECSVCnetrekAMInetTragicOLHOSTtqdataRaven1Raven2aic-npcspuniatmtcpka0wucsilkp1silkp2silkp3silkp4glishddaishiEpiconROBOERJAMCT5JAMCT6SignalZARKOVBOSCAPITB301vsixmldi-asegds_dbTL1-LVVMODEMadmindSYSOPTfg-fpsfg-gippdrncsVNSSTRWebTIESUITJDDJ ILMSAVANTPharosN1-FWPActNetDJ-ICEA1-MSCEWCTSPxdsxdmJMACT3jmevt2iRDMI2PatrolLM DtaabarsdtruecmrasadvPalaceBlockshp-scohp-scaAsylummed-cipolicysha256deleteKOI8-RKOI8-U_count^(?i)(_blue__cyan_inverthiddenfinishack:%dIgnoreUTF-16[%d]%s |
Source: mmzwi.exe, 00000002.00000002.2959142621.000000C0002CC000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: VMwareVMware |
Source: gjsdk.exe, 00000000.00000002.1750980942.000002B0E4744000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: mmzwi.exe, 00000002.00000002.2966741709.000001F8FE57C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNN |
Source: C:\Users\user\Desktop\gjsdk.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\gjsdk.exe |
Queries volume information: C:\Users\user\Desktop\gjsdk.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\gjsdk.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Queries volume information: C:\Windows\AppReadiness\mmzwi.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Windows\AppReadiness\mmzwi.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\gjsdk.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |