Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: bUAB.exe, 00000000.00000002.2912273923.000000001AFF3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en |
Source: bUAB.exe, 00000000.00000002.2909667773.0000000000807000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: bUAB.exe, 00000000.00000002.2912273923.000000001AFEA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab; |
Source: bUAB.exe, 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, bUAB.exe, 00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Yara match |
File source: bUAB.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR |
Source: bUAB.exe, type: SAMPLE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: bUAB.exe, type: SAMPLE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: bUAB.exe, type: SAMPLE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: bUAB.exe, type: SAMPLE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: dump.pcap, type: PCAP |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen |
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen |
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen |
Source: 00000000.00000002.2909667773.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2910315909.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2909667773.0000000000807000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2912273923.000000001AFA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: 00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown |
Source: bUAB.exe, type: SAMPLE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: bUAB.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: bUAB.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: bUAB.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: dump.pcap, type: PCAP |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. |
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI |
Source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy |
Source: 00000000.00000002.2909667773.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2910315909.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2909667773.0000000000807000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2912273923.000000001AFA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: 00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR |
Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12 |
Source: bUAB.exe, Settings.cs |
Base64 encoded string: 'WsUhTQje46qdg2lN6JVthKiw+LAQPDmUXNV5eUfEgROdFv89WKJ5OXBQdA0ZV8DCeYqmjvHT+Fa4fGwUeLUQyw==', 'TkYgoLUZBVzMxX20nfUGzR0GU0lcgPfvXXdATyC6183xEBWX/txToy/uzmYYMLxWn7Ngs0Nb46W8/iHfO2jAvB3utnkB9ylAt5KbkBV2XKw=', 'VmzBJGQ03lXVyrXTnqsJeQzo4Uutzy+bnv96bRJu+VfOcm27jIsPlggtAUMPT6ngayeinTyrzw1GSowjSZ78jA==', 'tsQctTio8bwbLQHkd9MfpL5jMkUBsZiLhpb1ppBFw8lAL+ztbcRrM8CA6i8vSDsh0M83PaMtnTj43hkcl9yY7A==', 'gzbSl59ZwlrDDVgvI2gcD1WGL1yS/K4kbXaiB5D+2d0LbU4ZB3yyRj/n4eomiTs7zG6MBAYzEyjMFk38fR/e/gLs92IVR9p+9cXhspQmsFRQVB6DD1Tr79kfQAofEWiw', 'H2WEsBgVBmC9/R62QTBaX89PgGnTZsbjdmw6EU2Fhy+ylpXiVfAm6YeTAxT+OlMR5llG4AUOodkNIiOBNNakLA==', 'PeOYw+bEtEhjCnll95hRjz3upv9bP1uivsDB4g3zuVS6br9QlKUe8PM0BTbiO73AMT7LRVofPKAHx+ILILCW/g==', 'Vu8u5NKpQ90jbn0VVcYy/4Rly7nw8QOXeVhFueu99AtFwsNK9u59fhMgWx81PI2dBv0boTu3zi4MTXhEndRTcA==', 'YlvdchsTMVZZxYCDwrwxPovuwOCjuIdff+Em4X+Ui5VT4Tr8CJKmMv7r/EpbEDhOVKySH5miswBAlCMnIMUa6w==' |
Source: bUAB.exe, NormalStartup.cs |
Base64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==' |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: cryptnet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: cabinet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: devenum.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: devobj.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Section loaded: msdmo.dll |
Jump to behavior |
Source: Yara match |
File source: bUAB.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\bUAB.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Yara match |
File source: bUAB.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR |
Source: bUAB.exe, 00000000.00000002.2912273923.000000001AFA6000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW0 |
Source: bUAB.exe, 00000000.00000002.2912981417.000000001B19F000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: bUAB.exe, AntiProcess.cs |
Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId) |
Source: bUAB.exe, Win32.cs |
Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)) |
Source: bUAB.exe, Win32.cs |
Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)) |
Source: bUAB.exe, Amsi.cs |
Reference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _) |
Source: bUAB.exe, 00000000.00000002.2910315909.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, bUAB.exe, 00000000.00000002.2910315909.0000000002735000.00000004.00000800.00020000.00000000.sdmp, bUAB.exe, 00000000.00000002.2910315909.0000000002727000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: bUAB.exe, 00000000.00000002.2910315909.0000000002A00000.00000004.00000800.00020000.00000000.sdmp, bUAB.exe, 00000000.00000002.2910315909.0000000002735000.00000004.00000800.00020000.00000000.sdmp, bUAB.exe, 00000000.00000002.2910315909.0000000002727000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: Program Manager@ |
Source: Yara match |
File source: bUAB.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.bUAB.exe.3b0000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR |
Source: bUAB.exe, 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: MSASCui.exe |
Source: bUAB.exe, 00000000.00000002.2912273923.000000001AFF3000.00000004.00000020.00020000.00000000.sdmp, bUAB.exe, 00000000.00000002.2909667773.00000000007FB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe |
Source: bUAB.exe, 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: procexp.exe |
Source: bUAB.exe, 00000000.00000000.1660518176.00000000003B2000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: MsMpEng.exe |
Source: Yara match |
File source: 00000000.00000002.2910315909.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR |
Source: Yara match |
File source: 00000000.00000002.2910315909.00000000029C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2910315909.00000000026C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2910315909.0000000002743000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: bUAB.exe PID: 7532, type: MEMORYSTR |