Loading ...

Play interactive tourEdit tour

Analysis Report CyneroS.exe

Overview

General Information

Sample Name:CyneroS.exe
Analysis ID:286545
MD5:be90f481e02b0ace7a206870a15e8ffd
SHA1:64f6698bb97c1908774326deea77b96fdefacbc7
SHA256:1717f043b5ea0db5a43ef7bca9820a3c656dca8336139ccc499683c63ad0f1c3
Tags:exe

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains very large strings
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: System File Execution Location Anomaly
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • CyneroS.exe (PID: 792 cmdline: 'C:\Users\user\Desktop\CyneroS.exe' MD5: BE90F481E02B0ACE7A206870A15E8FFD)
    • cmd.exe (PID: 1344 cmdline: 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 3 > Nul & Del 'C:\Users\user\Desktop\CyneroS.exe'&'C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 1436 cmdline: ping 1.1.1.1 -n 1 -w 3 MD5: 70C24A306F768936563ABDADB9CA9108)
      • RuntimeBroker.exe (PID: 3052 cmdline: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe MD5: BE90F481E02B0ACE7A206870A15E8FFD)
  • RuntimeBroker.exe (PID: 6740 cmdline: 'C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe' MD5: BE90F481E02B0ACE7A206870A15E8FFD)
  • RuntimeBroker.exe (PID: 5932 cmdline: 'C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe' MD5: BE90F481E02B0ACE7A206870A15E8FFD)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
CyneroS.exeRAT_LuxNetDetects LuxNet RATKevin Breen <kevin@techanarchy.net>
  • 0x1cff5:$a: GetHashCode
  • 0x243f8:$b: Activator
  • 0x2379d:$c: WebClient
  • 0x1cfd4:$d: op_Equality
  • 0x262f8:$e: dickcursor.cur
  • 0x257e8:$f: {0}|{1}|{2}
CyneroS.exeLuxNetunknown Kevin Breen <kevin@techanarchy.net>
  • 0x1cff5:$a: GetHashCode
  • 0x243f8:$b: Activator
  • 0x2379d:$c: WebClient
  • 0x1cfd4:$d: op_Equality
  • 0x262f8:$e: dickcursor.cur
  • 0x257e8:$f: {0}|{1}|{2}

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeRAT_LuxNetDetects LuxNet RATKevin Breen <kevin@techanarchy.net>
  • 0x1cff5:$a: GetHashCode
  • 0x243f8:$b: Activator
  • 0x2379d:$c: WebClient
  • 0x1cfd4:$d: op_Equality
  • 0x262f8:$e: dickcursor.cur
  • 0x257e8:$f: {0}|{1}|{2}
C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeLuxNetunknown Kevin Breen <kevin@techanarchy.net>
  • 0x1cff5:$a: GetHashCode
  • 0x243f8:$b: Activator
  • 0x2379d:$c: WebClient
  • 0x1cfd4:$d: op_Equality
  • 0x262f8:$e: dickcursor.cur
  • 0x257e8:$f: {0}|{1}|{2}

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.653197241.00000000000B2000.00000002.00020000.sdmpRAT_LuxNetDetects LuxNet RATKevin Breen <kevin@techanarchy.net>
  • 0x1cdf5:$a: GetHashCode
  • 0x241f8:$b: Activator
  • 0x2359d:$c: WebClient
  • 0x1cdd4:$d: op_Equality
  • 0x260f8:$e: dickcursor.cur
  • 0x255e8:$f: {0}|{1}|{2}
00000006.00000002.653197241.00000000000B2000.00000002.00020000.sdmpLuxNetunknown Kevin Breen <kevin@techanarchy.net>
  • 0x1cdf5:$a: GetHashCode
  • 0x241f8:$b: Activator
  • 0x2359d:$c: WebClient
  • 0x1cdd4:$d: op_Equality
  • 0x260f8:$e: dickcursor.cur
  • 0x255e8:$f: {0}|{1}|{2}
0000000B.00000002.427374204.0000000000A42000.00000002.00020000.sdmpRAT_LuxNetDetects LuxNet RATKevin Breen <kevin@techanarchy.net>
  • 0x1cdf5:$a: GetHashCode
  • 0x241f8:$b: Activator
  • 0x2359d:$c: WebClient
  • 0x1cdd4:$d: op_Equality
  • 0x260f8:$e: dickcursor.cur
  • 0x255e8:$f: {0}|{1}|{2}
0000000B.00000002.427374204.0000000000A42000.00000002.00020000.sdmpLuxNetunknown Kevin Breen <kevin@techanarchy.net>
  • 0x1cdf5:$a: GetHashCode
  • 0x241f8:$b: Activator
  • 0x2359d:$c: WebClient
  • 0x1cdd4:$d: op_Equality
  • 0x260f8:$e: dickcursor.cur
  • 0x255e8:$f: {0}|{1}|{2}
00000006.00000000.401864182.00000000000B2000.00000002.00020000.sdmpRAT_LuxNetDetects LuxNet RATKevin Breen <kevin@techanarchy.net>
  • 0x1cdf5:$a: GetHashCode
  • 0x241f8:$b: Activator
  • 0x2359d:$c: WebClient
  • 0x1cdd4:$d: op_Equality
  • 0x260f8:$e: dickcursor.cur
  • 0x255e8:$f: {0}|{1}|{2}
Click to see the 13 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
14.0.RuntimeBroker.exe.d0000.0.unpackRAT_LuxNetDetects LuxNet RATKevin Breen <kevin@techanarchy.net>
  • 0x1cff5:$a: GetHashCode
  • 0x243f8:$b: Activator
  • 0x2379d:$c: WebClient
  • 0x1cfd4:$d: op_Equality
  • 0x262f8:$e: dickcursor.cur
  • 0x257e8:$f: {0}|{1}|{2}
14.0.RuntimeBroker.exe.d0000.0.unpackLuxNetunknown Kevin Breen <kevin@techanarchy.net>
  • 0x1cff5:$a: GetHashCode
  • 0x243f8:$b: Activator
  • 0x2379d:$c: WebClient
  • 0x1cfd4:$d: op_Equality
  • 0x262f8:$e: dickcursor.cur
  • 0x257e8:$f: {0}|{1}|{2}
11.2.RuntimeBroker.exe.a40000.0.unpackRAT_LuxNetDetects LuxNet RATKevin Breen <kevin@techanarchy.net>
  • 0x1cff5:$a: GetHashCode
  • 0x243f8:$b: Activator
  • 0x2379d:$c: WebClient
  • 0x1cfd4:$d: op_Equality
  • 0x262f8:$e: dickcursor.cur
  • 0x257e8:$f: {0}|{1}|{2}
11.2.RuntimeBroker.exe.a40000.0.unpackLuxNetunknown Kevin Breen <kevin@techanarchy.net>
  • 0x1cff5:$a: GetHashCode
  • 0x243f8:$b: Activator
  • 0x2379d:$c: WebClient
  • 0x1cfd4:$d: op_Equality
  • 0x262f8:$e: dickcursor.cur
  • 0x257e8:$f: {0}|{1}|{2}
1.2.CyneroS.exe.c60000.0.unpackRAT_LuxNetDetects LuxNet RATKevin Breen <kevin@techanarchy.net>
  • 0x1cff5:$a: GetHashCode
  • 0x243f8:$b: Activator
  • 0x2379d:$c: WebClient
  • 0x1cfd4:$d: op_Equality
  • 0x262f8:$e: dickcursor.cur
  • 0x257e8:$f: {0}|{1}|{2}
Click to see the 11 entries

Sigma Overview

System Summary:

barindex
Sigma detected: System File Execution Location AnomalyShow sources
Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe, CommandLine: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe, NewProcessName: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe, ParentCommandLine: 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 3 > Nul & Del 'C:\Users\user\Desktop\CyneroS.exe'&'C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1344, ProcessCommandLine: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe, ProcessId: 3052

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: CyneroS.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeAvira: detection malicious, Label: TR/Spy.Gen
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeVirustotal: Detection: 55%Perma Link
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeMetadefender: Detection: 52%Perma Link
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeReversingLabs: Detection: 70%
Multi AV Scanner detection for submitted fileShow sources
Source: CyneroS.exeVirustotal: Detection: 55%Perma Link
Source: CyneroS.exeMetadefender: Detection: 52%Perma Link
Source: CyneroS.exeReversingLabs: Detection: 70%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: CyneroS.exeJoe Sandbox ML: detected
Source: 11.0.RuntimeBroker.exe.a40000.0.unpackAvira: Label: TR/Spy.Gen
Source: 1.2.CyneroS.exe.c60000.0.unpackAvira: Label: TR/Spy.Gen
Source: 14.0.RuntimeBroker.exe.d0000.0.unpackAvira: Label: TR/Spy.Gen
Source: 11.2.RuntimeBroker.exe.a40000.0.unpackAvira: Label: TR/Spy.Gen
Source: 6.2.RuntimeBroker.exe.b0000.0.unpackAvira: Label: TR/Spy.Gen
Source: 14.2.RuntimeBroker.exe.d0000.0.unpackAvira: Label: TR/Spy.Gen
Source: 6.0.RuntimeBroker.exe.b0000.0.unpackAvira: Label: TR/Spy.Gen
Source: 1.0.CyneroS.exe.c60000.0.unpackAvira: Label: TR/Spy.Gen

Networking:

barindex
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: windowsconnect.duckdns.org
Uses ping.exe to check the status of other devices and networksShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3
Source: global trafficTCP traffic: 192.168.2.3:49734 -> 191.205.215.182:4431
Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox ViewASN Name: TELEFONICABRASILSABR TELEFONICABRASILSABR
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: unknownDNS traffic detected: queries for: windowsconnect.duckdns.org
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: RuntimeBroker.exeString found in binary or memory: http://i.imgur.com/2DZkQy0.jpg
Source: CyneroS.exeString found in binary or memory: http://i.imgur.com/2DZkQy0.jpg=http://i.imgur.com/o0klJiE.jpg=http://i.imgur.com/8taafg1.jpg
Source: RuntimeBroker.exeString found in binary or memory: http://i.imgur.com/8taafg1.jpg
Source: RuntimeBroker.exeString found in binary or memory: http://i.imgur.com/o0klJiE.jpg
Source: CyneroS.exe, 00000001.00000003.397547904.0000000005674000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: CyneroS.exe, 00000001.00000003.391128367.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
Source: CyneroS.exe, 00000001.00000003.390568987.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-h
Source: CyneroS.exe, 00000001.00000003.390568987.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
Source: CyneroS.exe, 00000001.00000003.390568987.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma-eb
Source: CyneroS.exe, 00000001.00000003.390568987.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comf;
Source: CyneroS.exe, 00000001.00000003.390677168.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comk
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: CyneroS.exe, 00000001.00000003.391128367.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlt
Source: CyneroS.exe, 00000001.00000003.391128367.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
Source: CyneroS.exe, 00000001.00000003.391128367.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.v
Source: CyneroS.exe, 00000001.00000002.400497003.0000000001787000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
Source: RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: CyneroS.exe, 00000001.00000003.393596020.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: CyneroS.exe, 00000001.00000003.394143121.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: CyneroS.exe, 00000001.00000003.395108617.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersC
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: CyneroS.exe, 00000001.00000003.393666464.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
Source: CyneroS.exe, 00000001.00000003.394400285.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers_:
Source: CyneroS.exe, 00000001.00000003.394143121.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers~:
Source: CyneroS.exe, 00000001.00000002.400497003.0000000001787000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comalic
Source: CyneroS.exe, 00000001.00000002.400497003.0000000001787000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comp
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: CyneroS.exe, 00000001.00000003.387649627.000000000567D000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: CyneroS.exe, 00000001.00000003.388080959.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: CyneroS.exe, 00000001.00000003.388355738.0000000005644000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/o
Source: CyneroS.exe, 00000001.00000003.388355738.0000000005644000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnX
Source: CyneroS.exe, 00000001.00000003.389282730.0000000005644000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
Source: CyneroS.exe, 00000001.00000003.387759556.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-g
Source: CyneroS.exe, 00000001.00000003.387886740.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnu-r
Source: CyneroS.exe, 00000001.00000003.387759556.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnx
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: CyneroS.exe, 00000001.00000003.395918949.0000000005647000.00000004.00000001.sdmp, CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: RuntimeBroker.exe, RuntimeBroker.exe, 0000000E.00000002.446576964.0000000002E41000.00000004.00000001.sdmp, CyneroS.exeString found in binary or memory: http://www.horror-grusel.de/horror0407/sounds/schrei-kreisch.wav
Source: RuntimeBroker.exe, RuntimeBroker.exe, 0000000E.00000002.445151838.00000000000D2000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000000E.00000002.446576964.0000000002E41000.00000004.00000001.sdmp, CyneroS.exeString found in binary or memory: http://www.horror-grusel.de/horror0407/sounds/sf1.wav
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: CyneroS.exe, 00000001.00000003.396386926.000000000566C000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: CyneroS.exe, 00000001.00000003.385894945.000000000565B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comwdth
Source: CyneroS.exe, 00000001.00000003.392181249.0000000005645000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: CyneroS.exe, 00000001.00000002.403816411.0000000006822000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: CyneroS.exe, 00000001.00000003.390568987.000000000567D000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.655771995.00000000053C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000B.00000002.428658576.0000000005D80000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000E.00000002.446755765.00000000053E0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: CyneroS.exe, 00000001.00000003.389476395.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cna
Source: CyneroS.exe, 00000001.00000003.389476395.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cna-eb
Source: CyneroS.exe, 00000001.00000003.389282730.0000000005644000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
Source: CyneroS.exe, 00000001.00000003.389282730.0000000005644000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnx

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to log keystrokes (.Net Source)Show sources
Source: CyneroS.exe, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL
Source: CyneroS.exe, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ
Source: RuntimeBroker.exe.1.dr, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL
Source: RuntimeBroker.exe.1.dr, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ
Source: 1.2.CyneroS.exe.c60000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL
Source: 1.2.CyneroS.exe.c60000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ
Source: 1.0.CyneroS.exe.c60000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL
Source: 1.0.CyneroS.exe.c60000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ
Source: 6.2.RuntimeBroker.exe.b0000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL
Source: 6.2.RuntimeBroker.exe.b0000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ
Source: 6.0.RuntimeBroker.exe.b0000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL
Source: 6.0.RuntimeBroker.exe.b0000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ
Source: 11.0.RuntimeBroker.exe.a40000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL
Source: 11.0.RuntimeBroker.exe.a40000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ
Source: 11.2.RuntimeBroker.exe.a40000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL
Source: 11.2.RuntimeBroker.exe.a40000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ
Source: 14.0.RuntimeBroker.exe.d0000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL
Source: 14.0.RuntimeBroker.exe.d0000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.cs.Net Code: N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ
Source: CyneroS.exe, 00000001.00000002.400153688.00000000012FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: CyneroS.exe, type: SAMPLEMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: CyneroS.exe, type: SAMPLEMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.653197241.00000000000B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.653197241.00000000000B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.427374204.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.427374204.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000000.401864182.00000000000B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000000.401864182.00000000000B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.399509155.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.399509155.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.445151838.00000000000D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.445151838.00000000000D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.401024204.00000000042D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.401024204.00000000042D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.384377910.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000000.384377910.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.443534689.00000000000D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000000.443534689.00000000000D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.426289542.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.426289542.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe, type: DROPPEDMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe, type: DROPPEDMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.RuntimeBroker.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.0.RuntimeBroker.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.RuntimeBroker.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.RuntimeBroker.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CyneroS.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.CyneroS.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.CyneroS.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.0.CyneroS.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RuntimeBroker.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.RuntimeBroker.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RuntimeBroker.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RuntimeBroker.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.RuntimeBroker.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.RuntimeBroker.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.RuntimeBroker.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects LuxNet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.RuntimeBroker.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet Author: Kevin Breen <kevin@techanarchy.net>
.NET source code contains very large stringsShow sources
Source: CyneroS.exe, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csLong String: Length: 10132
Source: RuntimeBroker.exe.1.dr, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csLong String: Length: 10132
Source: 1.2.CyneroS.exe.c60000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csLong String: Length: 10132
Source: 1.0.CyneroS.exe.c60000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csLong String: Length: 10132
Source: 6.2.RuntimeBroker.exe.b0000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csLong String: Length: 10132
Source: 6.0.RuntimeBroker.exe.b0000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csLong String: Length: 10132
Source: 11.0.RuntimeBroker.exe.a40000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csLong String: Length: 10132
Source: 11.2.RuntimeBroker.exe.a40000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csLong String: Length: 10132
Source: 14.0.RuntimeBroker.exe.d0000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csLong String: Length: 10132
Source: C:\Users\user\Desktop\CyneroS.exeCode function: 1_2_054500061_2_05450006
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeCode function: 6_2_027B00076_2_027B0007
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeCode function: 11_2_0592000611_2_05920006
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeCode function: 14_2_027D000714_2_027D0007
Source: CyneroS.exe, 00000001.00000002.400153688.00000000012FA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs CyneroS.exe
Source: CyneroS.exe, 00000001.00000002.405477661.0000000007990000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs CyneroS.exe
Source: CyneroS.exe, 00000001.00000002.405655995.0000000007A90000.00000002.00000001.sdmpBinary or memory string: originalfilename vs CyneroS.exe
Source: CyneroS.exe, 00000001.00000002.405655995.0000000007A90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs CyneroS.exe
Source: CyneroS.exe, type: SAMPLEMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: CyneroS.exe, type: SAMPLEMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 00000006.00000002.653197241.00000000000B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 00000006.00000002.653197241.00000000000B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 0000000B.00000002.427374204.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 0000000B.00000002.427374204.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 00000006.00000000.401864182.00000000000B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 00000006.00000000.401864182.00000000000B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 00000001.00000002.399509155.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 00000001.00000002.399509155.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 0000000E.00000002.445151838.00000000000D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 0000000E.00000002.445151838.00000000000D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 00000001.00000002.401024204.00000000042D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 00000001.00000002.401024204.00000000042D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 00000001.00000000.384377910.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 00000001.00000000.384377910.0000000000C62000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 0000000E.00000000.443534689.00000000000D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 0000000E.00000000.443534689.00000000000D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 0000000B.00000000.426289542.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 0000000B.00000000.426289542.0000000000A42000.00000002.00020000.sdmp, type: MEMORYMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe, type: DROPPEDMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe, type: DROPPEDMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 14.0.RuntimeBroker.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 14.0.RuntimeBroker.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 11.2.RuntimeBroker.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 11.2.RuntimeBroker.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 1.2.CyneroS.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 1.2.CyneroS.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 1.0.CyneroS.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 1.0.CyneroS.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 6.2.RuntimeBroker.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 6.2.RuntimeBroker.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 14.2.RuntimeBroker.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 14.2.RuntimeBroker.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 11.0.RuntimeBroker.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 11.0.RuntimeBroker.exe.a40000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: 6.0.RuntimeBroker.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_LuxNet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects LuxNet RAT, reference = http://malwareconfig.com/stats/LuxNet
Source: 6.0.RuntimeBroker.exe.b0000.0.unpack, type: UNPACKEDPEMatched rule: LuxNet date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/LuxNet
Source: CyneroS.exe, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csBase64 encoded string: 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9uXFdpbjg=', 'SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'QzpcUHJvZ3JhbURhdGFcTWljcm9zb2Z0XFdpbmRvd3NcU3RhcnQgTWVudVxQcm9ncmFtc1xTdGFydFVw', 'QzpcV2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1xob3N0cw==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcRXhwbG9yZXI=', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt', 'IlNvZnR3YXJlXFBvbGljaWVzXE1pY3Jvc29mdFxXaW5kb3dzXFN5c3RlbSI=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt'
Source: RuntimeBroker.exe.1.dr, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csBase64 encoded string: 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9uXFdpbjg=', 'SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'QzpcUHJvZ3JhbURhdGFcTWljcm9zb2Z0XFdpbmRvd3NcU3RhcnQgTWVudVxQcm9ncmFtc1xTdGFydFVw', 'QzpcV2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1xob3N0cw==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcRXhwbG9yZXI=', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt', 'IlNvZnR3YXJlXFBvbGljaWVzXE1pY3Jvc29mdFxXaW5kb3dzXFN5c3RlbSI=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt'
Source: 1.2.CyneroS.exe.c60000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csBase64 encoded string: 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9uXFdpbjg=', 'SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'QzpcUHJvZ3JhbURhdGFcTWljcm9zb2Z0XFdpbmRvd3NcU3RhcnQgTWVudVxQcm9ncmFtc1xTdGFydFVw', 'QzpcV2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1xob3N0cw==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcRXhwbG9yZXI=', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt', 'IlNvZnR3YXJlXFBvbGljaWVzXE1pY3Jvc29mdFxXaW5kb3dzXFN5c3RlbSI=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt'
Source: 1.0.CyneroS.exe.c60000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csBase64 encoded string: 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9uXFdpbjg=', 'SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'QzpcUHJvZ3JhbURhdGFcTWljcm9zb2Z0XFdpbmRvd3NcU3RhcnQgTWVudVxQcm9ncmFtc1xTdGFydFVw', 'QzpcV2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1xob3N0cw==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcRXhwbG9yZXI=', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt', 'IlNvZnR3YXJlXFBvbGljaWVzXE1pY3Jvc29mdFxXaW5kb3dzXFN5c3RlbSI=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt'
Source: 6.2.RuntimeBroker.exe.b0000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csBase64 encoded string: 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9uXFdpbjg=', 'SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'QzpcUHJvZ3JhbURhdGFcTWljcm9zb2Z0XFdpbmRvd3NcU3RhcnQgTWVudVxQcm9ncmFtc1xTdGFydFVw', 'QzpcV2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1xob3N0cw==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcRXhwbG9yZXI=', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt', 'IlNvZnR3YXJlXFBvbGljaWVzXE1pY3Jvc29mdFxXaW5kb3dzXFN5c3RlbSI=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt'
Source: 6.0.RuntimeBroker.exe.b0000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csBase64 encoded string: 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9uXFdpbjg=', 'SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'QzpcUHJvZ3JhbURhdGFcTWljcm9zb2Z0XFdpbmRvd3NcU3RhcnQgTWVudVxQcm9ncmFtc1xTdGFydFVw', 'QzpcV2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1xob3N0cw==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcRXhwbG9yZXI=', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt', 'IlNvZnR3YXJlXFBvbGljaWVzXE1pY3Jvc29mdFxXaW5kb3dzXFN5c3RlbSI=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt'
Source: 11.0.RuntimeBroker.exe.a40000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csBase64 encoded string: 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9uXFdpbjg=', 'SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'QzpcUHJvZ3JhbURhdGFcTWljcm9zb2Z0XFdpbmRvd3NcU3RhcnQgTWVudVxQcm9ncmFtc1xTdGFydFVw', 'QzpcV2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1xob3N0cw==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcRXhwbG9yZXI=', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt', 'IlNvZnR3YXJlXFBvbGljaWVzXE1pY3Jvc29mdFxXaW5kb3dzXFN5c3RlbSI=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt'
Source: 11.2.RuntimeBroker.exe.a40000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csBase64 encoded string: 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9uXFdpbjg=', 'SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'QzpcUHJvZ3JhbURhdGFcTWljcm9zb2Z0XFdpbmRvd3NcU3RhcnQgTWVudVxQcm9ncmFtc1xTdGFydFVw', 'QzpcV2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1xob3N0cw==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcRXhwbG9yZXI=', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt', 'IlNvZnR3YXJlXFBvbGljaWVzXE1pY3Jvc29mdFxXaW5kb3dzXFN5c3RlbSI=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt'
Source: 14.0.RuntimeBroker.exe.d0000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csBase64 encoded string: 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9u', 'SEtFWV9MT0NBTF9NQUNISU5FXFNPRlRXQVJFXE1pY3Jvc29mdFxXaW5kb3dzIE5UXEN1cnJlbnRWZXJzaW9uXFdpbjg=', 'SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs', 'QzpcUHJvZ3JhbURhdGFcTWljcm9zb2Z0XFdpbmRvd3NcU3RhcnQgTWVudVxQcm9ncmFtc1xTdGFydFVw', 'QzpcV2luZG93c1xzeXN0ZW0zMlxkcml2ZXJzXGV0Y1xob3N0cw==', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVu', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcRXhwbG9yZXI=', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt', 'IlNvZnR3YXJlXFBvbGljaWVzXE1pY3Jvc29mdFxXaW5kb3dzXFN5c3RlbSI=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUG9saWNpZXNcU3lzdGVt'
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/3@71/3
Source: C:\Users\user\Desktop\CyneroS.exeCode function: 1_2_067E01B2 AdjustTokenPrivileges,1_2_067E01B2
Source: C:\Users\user\Desktop\CyneroS.exeCode function: 1_2_067E017B AdjustTokenPrivileges,1_2_067E017B
Source: C:\Users\user\Desktop\CyneroS.exeFile created: C:\Users\user\AppData\Roaming\UpdatesJump to behavior
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5884:120:WilError_01
Source: C:\Users\user\Desktop\CyneroS.exeMutant created: \Sessions\1\BaseNamedObjects\ (F&)'&7M9!KG!HX15 V=E%G#O/0)O00C2NRWR<GD)J~-NY<6(72!G XOCMXZJYFE
Source: CyneroS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CyneroS.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\CyneroS.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\CyneroS.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\Desktop\CyneroS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\CyneroS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: CyneroS.exeVirustotal: Detection: 55%
Source: CyneroS.exeMetadefender: Detection: 52%
Source: CyneroS.exeReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\CyneroS.exeFile read: C:\Users\user\Desktop\CyneroS.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\CyneroS.exe 'C:\Users\user\Desktop\CyneroS.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 3 > Nul & Del 'C:\Users\user\Desktop\CyneroS.exe'&'C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe 'C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe 'C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe'
Source: C:\Users\user\Desktop\CyneroS.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping 1.1.1.1 -n 1 -w 3 > Nul & Del 'C:\Users\user\Desktop\CyneroS.exe'&'C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 1.1.1.1 -n 1 -w 3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exe C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeJump to behavior
Source: C:\Users\user\Desktop\CyneroS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Source: CyneroS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\CyneroS.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Source: CyneroS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: CyneroS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Windows\exe\CyneroS.pdb source: RuntimeBroker.exe, 00000006.00000002.654259444.0000000000F01000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\exe\CyneroS.pdb source: RuntimeBroker.exe, 00000006.00000002.654259444.0000000000F01000.00000004.00000001.sdmp
Source: Binary string: indows\CyneroS.pdbpdbroS.pdb source: RuntimeBroker.exe, 00000006.00000002.654259444.0000000000F01000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\CyneroS.pdb source: RuntimeBroker.exe, 00000006.00000002.654259444.0000000000F01000.00000004.00000001.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\Updates\CyneroS.pdb source: RuntimeBroker.exe, 00000006.00000002.654259444.0000000000F01000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Susurro\Desktop\CyneroS.pdb source: RuntimeBroker.exe, CyneroS.exe
Source: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeCode function: 6_2_027B1411 push 47F400DEh; iretd 6_2_027B141E
Source: CyneroS.exe, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csHigh entropy of concatenated method names: 'get_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'set_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'SetCursorPos', 'mouse_event', 'mciSendString', 'get_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'set_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'BlockInput', 'SwapMouseButton', 'FindWindow'
Source: CyneroS.exe, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.csHigh entropy of concatenated method names: '.ctor', 'f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL', 'odzk9p94MT2SAzpNEvpGJPXIXBpKb78L', 'PpP1ZJ6vL5Rjf7JOtscM9GwrJK0FUBoE', 'hrj27DaUwuS0ibvOJ9hxCVzkl1el66em', 'a9yLePGXZQjjXdJeqiXxaXxmPUTkgRoO', 'j9NXRGsiY2KyDABDf9S5NccIdAr2MCb2', 'N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ', 'SetWindowsHookEx', 'CallNextHookEx'
Source: CyneroS.exe, Uz6pmBgikQRQKMCQaOsConle7zbV4wJg.csHigh entropy of concatenated method names: 'add_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'remove_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'Oweg6l8unTQq589p50V7s054RXJq4WEK', 'add_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'remove_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'rDjezLX0kamorsGR5lQV9p441hDbLtaA', 'add_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'remove_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'Vr4Hagu9vcySNPukIRFfeyipMGRE0kSz', 'add_emXvL5ettkTFDIpveEG2ROojCyp5prWu'
Source: CyneroS.exe, rKyH6RiElynXjuPcpqtEpkP7QcvpRGhm.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'get_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'set_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'DePPnhfoPURbeKaoGZ87IlCPgJLUqOAw', 'vMXFSQfFDrQEePRSb2Yl6edVxzcplo6b', 'kKM0FUXFsOU0xpNqBbiPR05qddSAqyhl', 'lme1LmY0vfI0FOiZyF4KPFB6gO80V5Wb', 'GZj2WaSCdgL28tduEgYbMuuaWfZyRJLy', 'XPZkS00WIzjl4YeYtkZuxVr4V6zeMHNg'
Source: CyneroS.exe, mEd117s3i1y3NXTkHjayNJxPoi0MxkfX.csHigh entropy of concatenated method names: 'GetProcAddress', 'LoadLibrary', '.ctor', 'AuthenticateSql', 'cnnZSOqm1JMACSo6khOxfQFibDAfbW18', 'DgHV4PUuYWyBWD19EO5ApufIxJS0k1fh', 'J5l6ojP7U5zc84aeuGrDhGw6hmkctwCl', 'ektYpJC70hlYTPAfE3kDCpR8BlpiiFhH', 'pgs0MT1l5x7d2fSO316r3mhDh2Avw4PZ', 'Phy1aS3JrUfxfUemkxXMu1GzQRjCTOCz'
Source: CyneroS.exe, BveDohN1tdZy3GptXcUGn5MjUR1PrMun.csHigh entropy of concatenated method names: '.ctor', 'QNmsnAXgzilvDVaCimSEXueJm41z5ADG', 'L34KBAjUkurs9ZTlhzl1v4lYgY27JerK', 'tFkKaivFiA1CxOlEbaY67PYONXm55ISE', 'DH02aZKyOUFzG7M4nhy0dwCDye9g30yh', 'GvmpIrz1APpnHGx7r1iqLIUnaxpQHo87', 'YMhjL3By8iFz8b2EqWmaNdPW3YblG9AL', 'di70EEEAlZSKHlcc7wQYnVUcteLvkNkZ', 'IPX1XNkGNH3OJhvxKNxogqkSKg3uwmg1', 'PCEMkDLs2Cgyy8jIk86w38pMMXEGxa5c'
Source: RuntimeBroker.exe.1.dr, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csHigh entropy of concatenated method names: 'get_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'set_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'SetCursorPos', 'mouse_event', 'mciSendString', 'get_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'set_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'BlockInput', 'SwapMouseButton', 'FindWindow'
Source: RuntimeBroker.exe.1.dr, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.csHigh entropy of concatenated method names: '.ctor', 'f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL', 'odzk9p94MT2SAzpNEvpGJPXIXBpKb78L', 'PpP1ZJ6vL5Rjf7JOtscM9GwrJK0FUBoE', 'hrj27DaUwuS0ibvOJ9hxCVzkl1el66em', 'a9yLePGXZQjjXdJeqiXxaXxmPUTkgRoO', 'j9NXRGsiY2KyDABDf9S5NccIdAr2MCb2', 'N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ', 'SetWindowsHookEx', 'CallNextHookEx'
Source: RuntimeBroker.exe.1.dr, Uz6pmBgikQRQKMCQaOsConle7zbV4wJg.csHigh entropy of concatenated method names: 'add_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'remove_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'Oweg6l8unTQq589p50V7s054RXJq4WEK', 'add_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'remove_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'rDjezLX0kamorsGR5lQV9p441hDbLtaA', 'add_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'remove_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'Vr4Hagu9vcySNPukIRFfeyipMGRE0kSz', 'add_emXvL5ettkTFDIpveEG2ROojCyp5prWu'
Source: RuntimeBroker.exe.1.dr, mEd117s3i1y3NXTkHjayNJxPoi0MxkfX.csHigh entropy of concatenated method names: 'GetProcAddress', 'LoadLibrary', '.ctor', 'AuthenticateSql', 'cnnZSOqm1JMACSo6khOxfQFibDAfbW18', 'DgHV4PUuYWyBWD19EO5ApufIxJS0k1fh', 'J5l6ojP7U5zc84aeuGrDhGw6hmkctwCl', 'ektYpJC70hlYTPAfE3kDCpR8BlpiiFhH', 'pgs0MT1l5x7d2fSO316r3mhDh2Avw4PZ', 'Phy1aS3JrUfxfUemkxXMu1GzQRjCTOCz'
Source: RuntimeBroker.exe.1.dr, BveDohN1tdZy3GptXcUGn5MjUR1PrMun.csHigh entropy of concatenated method names: '.ctor', 'QNmsnAXgzilvDVaCimSEXueJm41z5ADG', 'L34KBAjUkurs9ZTlhzl1v4lYgY27JerK', 'tFkKaivFiA1CxOlEbaY67PYONXm55ISE', 'DH02aZKyOUFzG7M4nhy0dwCDye9g30yh', 'GvmpIrz1APpnHGx7r1iqLIUnaxpQHo87', 'YMhjL3By8iFz8b2EqWmaNdPW3YblG9AL', 'di70EEEAlZSKHlcc7wQYnVUcteLvkNkZ', 'IPX1XNkGNH3OJhvxKNxogqkSKg3uwmg1', 'PCEMkDLs2Cgyy8jIk86w38pMMXEGxa5c'
Source: RuntimeBroker.exe.1.dr, rKyH6RiElynXjuPcpqtEpkP7QcvpRGhm.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'get_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'set_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'DePPnhfoPURbeKaoGZ87IlCPgJLUqOAw', 'vMXFSQfFDrQEePRSb2Yl6edVxzcplo6b', 'kKM0FUXFsOU0xpNqBbiPR05qddSAqyhl', 'lme1LmY0vfI0FOiZyF4KPFB6gO80V5Wb', 'GZj2WaSCdgL28tduEgYbMuuaWfZyRJLy', 'XPZkS00WIzjl4YeYtkZuxVr4V6zeMHNg'
Source: 1.2.CyneroS.exe.c60000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csHigh entropy of concatenated method names: 'get_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'set_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'SetCursorPos', 'mouse_event', 'mciSendString', 'get_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'set_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'BlockInput', 'SwapMouseButton', 'FindWindow'
Source: 1.2.CyneroS.exe.c60000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.csHigh entropy of concatenated method names: '.ctor', 'f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL', 'odzk9p94MT2SAzpNEvpGJPXIXBpKb78L', 'PpP1ZJ6vL5Rjf7JOtscM9GwrJK0FUBoE', 'hrj27DaUwuS0ibvOJ9hxCVzkl1el66em', 'a9yLePGXZQjjXdJeqiXxaXxmPUTkgRoO', 'j9NXRGsiY2KyDABDf9S5NccIdAr2MCb2', 'N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ', 'SetWindowsHookEx', 'CallNextHookEx'
Source: 1.2.CyneroS.exe.c60000.0.unpack, rKyH6RiElynXjuPcpqtEpkP7QcvpRGhm.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'get_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'set_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'DePPnhfoPURbeKaoGZ87IlCPgJLUqOAw', 'vMXFSQfFDrQEePRSb2Yl6edVxzcplo6b', 'kKM0FUXFsOU0xpNqBbiPR05qddSAqyhl', 'lme1LmY0vfI0FOiZyF4KPFB6gO80V5Wb', 'GZj2WaSCdgL28tduEgYbMuuaWfZyRJLy', 'XPZkS00WIzjl4YeYtkZuxVr4V6zeMHNg'
Source: 1.2.CyneroS.exe.c60000.0.unpack, mEd117s3i1y3NXTkHjayNJxPoi0MxkfX.csHigh entropy of concatenated method names: 'GetProcAddress', 'LoadLibrary', '.ctor', 'AuthenticateSql', 'cnnZSOqm1JMACSo6khOxfQFibDAfbW18', 'DgHV4PUuYWyBWD19EO5ApufIxJS0k1fh', 'J5l6ojP7U5zc84aeuGrDhGw6hmkctwCl', 'ektYpJC70hlYTPAfE3kDCpR8BlpiiFhH', 'pgs0MT1l5x7d2fSO316r3mhDh2Avw4PZ', 'Phy1aS3JrUfxfUemkxXMu1GzQRjCTOCz'
Source: 1.2.CyneroS.exe.c60000.0.unpack, BveDohN1tdZy3GptXcUGn5MjUR1PrMun.csHigh entropy of concatenated method names: '.ctor', 'QNmsnAXgzilvDVaCimSEXueJm41z5ADG', 'L34KBAjUkurs9ZTlhzl1v4lYgY27JerK', 'tFkKaivFiA1CxOlEbaY67PYONXm55ISE', 'DH02aZKyOUFzG7M4nhy0dwCDye9g30yh', 'GvmpIrz1APpnHGx7r1iqLIUnaxpQHo87', 'YMhjL3By8iFz8b2EqWmaNdPW3YblG9AL', 'di70EEEAlZSKHlcc7wQYnVUcteLvkNkZ', 'IPX1XNkGNH3OJhvxKNxogqkSKg3uwmg1', 'PCEMkDLs2Cgyy8jIk86w38pMMXEGxa5c'
Source: 1.2.CyneroS.exe.c60000.0.unpack, Uz6pmBgikQRQKMCQaOsConle7zbV4wJg.csHigh entropy of concatenated method names: 'add_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'remove_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'Oweg6l8unTQq589p50V7s054RXJq4WEK', 'add_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'remove_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'rDjezLX0kamorsGR5lQV9p441hDbLtaA', 'add_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'remove_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'Vr4Hagu9vcySNPukIRFfeyipMGRE0kSz', 'add_emXvL5ettkTFDIpveEG2ROojCyp5prWu'
Source: 1.0.CyneroS.exe.c60000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csHigh entropy of concatenated method names: 'get_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'set_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'SetCursorPos', 'mouse_event', 'mciSendString', 'get_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'set_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'BlockInput', 'SwapMouseButton', 'FindWindow'
Source: 1.0.CyneroS.exe.c60000.0.unpack, Uz6pmBgikQRQKMCQaOsConle7zbV4wJg.csHigh entropy of concatenated method names: 'add_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'remove_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'Oweg6l8unTQq589p50V7s054RXJq4WEK', 'add_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'remove_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'rDjezLX0kamorsGR5lQV9p441hDbLtaA', 'add_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'remove_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'Vr4Hagu9vcySNPukIRFfeyipMGRE0kSz', 'add_emXvL5ettkTFDIpveEG2ROojCyp5prWu'
Source: 1.0.CyneroS.exe.c60000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.csHigh entropy of concatenated method names: '.ctor', 'f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL', 'odzk9p94MT2SAzpNEvpGJPXIXBpKb78L', 'PpP1ZJ6vL5Rjf7JOtscM9GwrJK0FUBoE', 'hrj27DaUwuS0ibvOJ9hxCVzkl1el66em', 'a9yLePGXZQjjXdJeqiXxaXxmPUTkgRoO', 'j9NXRGsiY2KyDABDf9S5NccIdAr2MCb2', 'N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ', 'SetWindowsHookEx', 'CallNextHookEx'
Source: 1.0.CyneroS.exe.c60000.0.unpack, rKyH6RiElynXjuPcpqtEpkP7QcvpRGhm.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'get_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'set_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'DePPnhfoPURbeKaoGZ87IlCPgJLUqOAw', 'vMXFSQfFDrQEePRSb2Yl6edVxzcplo6b', 'kKM0FUXFsOU0xpNqBbiPR05qddSAqyhl', 'lme1LmY0vfI0FOiZyF4KPFB6gO80V5Wb', 'GZj2WaSCdgL28tduEgYbMuuaWfZyRJLy', 'XPZkS00WIzjl4YeYtkZuxVr4V6zeMHNg'
Source: 1.0.CyneroS.exe.c60000.0.unpack, mEd117s3i1y3NXTkHjayNJxPoi0MxkfX.csHigh entropy of concatenated method names: 'GetProcAddress', 'LoadLibrary', '.ctor', 'AuthenticateSql', 'cnnZSOqm1JMACSo6khOxfQFibDAfbW18', 'DgHV4PUuYWyBWD19EO5ApufIxJS0k1fh', 'J5l6ojP7U5zc84aeuGrDhGw6hmkctwCl', 'ektYpJC70hlYTPAfE3kDCpR8BlpiiFhH', 'pgs0MT1l5x7d2fSO316r3mhDh2Avw4PZ', 'Phy1aS3JrUfxfUemkxXMu1GzQRjCTOCz'
Source: 1.0.CyneroS.exe.c60000.0.unpack, BveDohN1tdZy3GptXcUGn5MjUR1PrMun.csHigh entropy of concatenated method names: '.ctor', 'QNmsnAXgzilvDVaCimSEXueJm41z5ADG', 'L34KBAjUkurs9ZTlhzl1v4lYgY27JerK', 'tFkKaivFiA1CxOlEbaY67PYONXm55ISE', 'DH02aZKyOUFzG7M4nhy0dwCDye9g30yh', 'GvmpIrz1APpnHGx7r1iqLIUnaxpQHo87', 'YMhjL3By8iFz8b2EqWmaNdPW3YblG9AL', 'di70EEEAlZSKHlcc7wQYnVUcteLvkNkZ', 'IPX1XNkGNH3OJhvxKNxogqkSKg3uwmg1', 'PCEMkDLs2Cgyy8jIk86w38pMMXEGxa5c'
Source: 6.2.RuntimeBroker.exe.b0000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csHigh entropy of concatenated method names: 'get_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'set_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'SetCursorPos', 'mouse_event', 'mciSendString', 'get_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'set_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'BlockInput', 'SwapMouseButton', 'FindWindow'
Source: 6.2.RuntimeBroker.exe.b0000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.csHigh entropy of concatenated method names: '.ctor', 'f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL', 'odzk9p94MT2SAzpNEvpGJPXIXBpKb78L', 'PpP1ZJ6vL5Rjf7JOtscM9GwrJK0FUBoE', 'hrj27DaUwuS0ibvOJ9hxCVzkl1el66em', 'a9yLePGXZQjjXdJeqiXxaXxmPUTkgRoO', 'j9NXRGsiY2KyDABDf9S5NccIdAr2MCb2', 'N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ', 'SetWindowsHookEx', 'CallNextHookEx'
Source: 6.2.RuntimeBroker.exe.b0000.0.unpack, mEd117s3i1y3NXTkHjayNJxPoi0MxkfX.csHigh entropy of concatenated method names: 'GetProcAddress', 'LoadLibrary', '.ctor', 'AuthenticateSql', 'cnnZSOqm1JMACSo6khOxfQFibDAfbW18', 'DgHV4PUuYWyBWD19EO5ApufIxJS0k1fh', 'J5l6ojP7U5zc84aeuGrDhGw6hmkctwCl', 'ektYpJC70hlYTPAfE3kDCpR8BlpiiFhH', 'pgs0MT1l5x7d2fSO316r3mhDh2Avw4PZ', 'Phy1aS3JrUfxfUemkxXMu1GzQRjCTOCz'
Source: 6.2.RuntimeBroker.exe.b0000.0.unpack, BveDohN1tdZy3GptXcUGn5MjUR1PrMun.csHigh entropy of concatenated method names: '.ctor', 'QNmsnAXgzilvDVaCimSEXueJm41z5ADG', 'L34KBAjUkurs9ZTlhzl1v4lYgY27JerK', 'tFkKaivFiA1CxOlEbaY67PYONXm55ISE', 'DH02aZKyOUFzG7M4nhy0dwCDye9g30yh', 'GvmpIrz1APpnHGx7r1iqLIUnaxpQHo87', 'YMhjL3By8iFz8b2EqWmaNdPW3YblG9AL', 'di70EEEAlZSKHlcc7wQYnVUcteLvkNkZ', 'IPX1XNkGNH3OJhvxKNxogqkSKg3uwmg1', 'PCEMkDLs2Cgyy8jIk86w38pMMXEGxa5c'
Source: 6.2.RuntimeBroker.exe.b0000.0.unpack, Uz6pmBgikQRQKMCQaOsConle7zbV4wJg.csHigh entropy of concatenated method names: 'add_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'remove_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'Oweg6l8unTQq589p50V7s054RXJq4WEK', 'add_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'remove_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'rDjezLX0kamorsGR5lQV9p441hDbLtaA', 'add_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'remove_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'Vr4Hagu9vcySNPukIRFfeyipMGRE0kSz', 'add_emXvL5ettkTFDIpveEG2ROojCyp5prWu'
Source: 6.2.RuntimeBroker.exe.b0000.0.unpack, rKyH6RiElynXjuPcpqtEpkP7QcvpRGhm.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'get_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'set_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'DePPnhfoPURbeKaoGZ87IlCPgJLUqOAw', 'vMXFSQfFDrQEePRSb2Yl6edVxzcplo6b', 'kKM0FUXFsOU0xpNqBbiPR05qddSAqyhl', 'lme1LmY0vfI0FOiZyF4KPFB6gO80V5Wb', 'GZj2WaSCdgL28tduEgYbMuuaWfZyRJLy', 'XPZkS00WIzjl4YeYtkZuxVr4V6zeMHNg'
Source: 6.0.RuntimeBroker.exe.b0000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csHigh entropy of concatenated method names: 'get_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'set_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'SetCursorPos', 'mouse_event', 'mciSendString', 'get_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'set_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'BlockInput', 'SwapMouseButton', 'FindWindow'
Source: 6.0.RuntimeBroker.exe.b0000.0.unpack, Uz6pmBgikQRQKMCQaOsConle7zbV4wJg.csHigh entropy of concatenated method names: 'add_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'remove_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'Oweg6l8unTQq589p50V7s054RXJq4WEK', 'add_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'remove_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'rDjezLX0kamorsGR5lQV9p441hDbLtaA', 'add_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'remove_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'Vr4Hagu9vcySNPukIRFfeyipMGRE0kSz', 'add_emXvL5ettkTFDIpveEG2ROojCyp5prWu'
Source: 6.0.RuntimeBroker.exe.b0000.0.unpack, mEd117s3i1y3NXTkHjayNJxPoi0MxkfX.csHigh entropy of concatenated method names: 'GetProcAddress', 'LoadLibrary', '.ctor', 'AuthenticateSql', 'cnnZSOqm1JMACSo6khOxfQFibDAfbW18', 'DgHV4PUuYWyBWD19EO5ApufIxJS0k1fh', 'J5l6ojP7U5zc84aeuGrDhGw6hmkctwCl', 'ektYpJC70hlYTPAfE3kDCpR8BlpiiFhH', 'pgs0MT1l5x7d2fSO316r3mhDh2Avw4PZ', 'Phy1aS3JrUfxfUemkxXMu1GzQRjCTOCz'
Source: 6.0.RuntimeBroker.exe.b0000.0.unpack, BveDohN1tdZy3GptXcUGn5MjUR1PrMun.csHigh entropy of concatenated method names: '.ctor', 'QNmsnAXgzilvDVaCimSEXueJm41z5ADG', 'L34KBAjUkurs9ZTlhzl1v4lYgY27JerK', 'tFkKaivFiA1CxOlEbaY67PYONXm55ISE', 'DH02aZKyOUFzG7M4nhy0dwCDye9g30yh', 'GvmpIrz1APpnHGx7r1iqLIUnaxpQHo87', 'YMhjL3By8iFz8b2EqWmaNdPW3YblG9AL', 'di70EEEAlZSKHlcc7wQYnVUcteLvkNkZ', 'IPX1XNkGNH3OJhvxKNxogqkSKg3uwmg1', 'PCEMkDLs2Cgyy8jIk86w38pMMXEGxa5c'
Source: 6.0.RuntimeBroker.exe.b0000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.csHigh entropy of concatenated method names: '.ctor', 'f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL', 'odzk9p94MT2SAzpNEvpGJPXIXBpKb78L', 'PpP1ZJ6vL5Rjf7JOtscM9GwrJK0FUBoE', 'hrj27DaUwuS0ibvOJ9hxCVzkl1el66em', 'a9yLePGXZQjjXdJeqiXxaXxmPUTkgRoO', 'j9NXRGsiY2KyDABDf9S5NccIdAr2MCb2', 'N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ', 'SetWindowsHookEx', 'CallNextHookEx'
Source: 6.0.RuntimeBroker.exe.b0000.0.unpack, rKyH6RiElynXjuPcpqtEpkP7QcvpRGhm.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'get_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'set_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'DePPnhfoPURbeKaoGZ87IlCPgJLUqOAw', 'vMXFSQfFDrQEePRSb2Yl6edVxzcplo6b', 'kKM0FUXFsOU0xpNqBbiPR05qddSAqyhl', 'lme1LmY0vfI0FOiZyF4KPFB6gO80V5Wb', 'GZj2WaSCdgL28tduEgYbMuuaWfZyRJLy', 'XPZkS00WIzjl4YeYtkZuxVr4V6zeMHNg'
Source: 11.0.RuntimeBroker.exe.a40000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csHigh entropy of concatenated method names: 'get_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'set_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'SetCursorPos', 'mouse_event', 'mciSendString', 'get_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'set_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'BlockInput', 'SwapMouseButton', 'FindWindow'
Source: 11.0.RuntimeBroker.exe.a40000.0.unpack, Uz6pmBgikQRQKMCQaOsConle7zbV4wJg.csHigh entropy of concatenated method names: 'add_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'remove_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'Oweg6l8unTQq589p50V7s054RXJq4WEK', 'add_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'remove_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'rDjezLX0kamorsGR5lQV9p441hDbLtaA', 'add_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'remove_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'Vr4Hagu9vcySNPukIRFfeyipMGRE0kSz', 'add_emXvL5ettkTFDIpveEG2ROojCyp5prWu'
Source: 11.0.RuntimeBroker.exe.a40000.0.unpack, mEd117s3i1y3NXTkHjayNJxPoi0MxkfX.csHigh entropy of concatenated method names: 'GetProcAddress', 'LoadLibrary', '.ctor', 'AuthenticateSql', 'cnnZSOqm1JMACSo6khOxfQFibDAfbW18', 'DgHV4PUuYWyBWD19EO5ApufIxJS0k1fh', 'J5l6ojP7U5zc84aeuGrDhGw6hmkctwCl', 'ektYpJC70hlYTPAfE3kDCpR8BlpiiFhH', 'pgs0MT1l5x7d2fSO316r3mhDh2Avw4PZ', 'Phy1aS3JrUfxfUemkxXMu1GzQRjCTOCz'
Source: 11.0.RuntimeBroker.exe.a40000.0.unpack, BveDohN1tdZy3GptXcUGn5MjUR1PrMun.csHigh entropy of concatenated method names: '.ctor', 'QNmsnAXgzilvDVaCimSEXueJm41z5ADG', 'L34KBAjUkurs9ZTlhzl1v4lYgY27JerK', 'tFkKaivFiA1CxOlEbaY67PYONXm55ISE', 'DH02aZKyOUFzG7M4nhy0dwCDye9g30yh', 'GvmpIrz1APpnHGx7r1iqLIUnaxpQHo87', 'YMhjL3By8iFz8b2EqWmaNdPW3YblG9AL', 'di70EEEAlZSKHlcc7wQYnVUcteLvkNkZ', 'IPX1XNkGNH3OJhvxKNxogqkSKg3uwmg1', 'PCEMkDLs2Cgyy8jIk86w38pMMXEGxa5c'
Source: 11.0.RuntimeBroker.exe.a40000.0.unpack, rKyH6RiElynXjuPcpqtEpkP7QcvpRGhm.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'get_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'set_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'DePPnhfoPURbeKaoGZ87IlCPgJLUqOAw', 'vMXFSQfFDrQEePRSb2Yl6edVxzcplo6b', 'kKM0FUXFsOU0xpNqBbiPR05qddSAqyhl', 'lme1LmY0vfI0FOiZyF4KPFB6gO80V5Wb', 'GZj2WaSCdgL28tduEgYbMuuaWfZyRJLy', 'XPZkS00WIzjl4YeYtkZuxVr4V6zeMHNg'
Source: 11.0.RuntimeBroker.exe.a40000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.csHigh entropy of concatenated method names: '.ctor', 'f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL', 'odzk9p94MT2SAzpNEvpGJPXIXBpKb78L', 'PpP1ZJ6vL5Rjf7JOtscM9GwrJK0FUBoE', 'hrj27DaUwuS0ibvOJ9hxCVzkl1el66em', 'a9yLePGXZQjjXdJeqiXxaXxmPUTkgRoO', 'j9NXRGsiY2KyDABDf9S5NccIdAr2MCb2', 'N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ', 'SetWindowsHookEx', 'CallNextHookEx'
Source: 11.2.RuntimeBroker.exe.a40000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csHigh entropy of concatenated method names: 'get_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'set_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'SetCursorPos', 'mouse_event', 'mciSendString', 'get_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'set_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'BlockInput', 'SwapMouseButton', 'FindWindow'
Source: 11.2.RuntimeBroker.exe.a40000.0.unpack, rKyH6RiElynXjuPcpqtEpkP7QcvpRGhm.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'get_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'set_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'DePPnhfoPURbeKaoGZ87IlCPgJLUqOAw', 'vMXFSQfFDrQEePRSb2Yl6edVxzcplo6b', 'kKM0FUXFsOU0xpNqBbiPR05qddSAqyhl', 'lme1LmY0vfI0FOiZyF4KPFB6gO80V5Wb', 'GZj2WaSCdgL28tduEgYbMuuaWfZyRJLy', 'XPZkS00WIzjl4YeYtkZuxVr4V6zeMHNg'
Source: 11.2.RuntimeBroker.exe.a40000.0.unpack, Uz6pmBgikQRQKMCQaOsConle7zbV4wJg.csHigh entropy of concatenated method names: 'add_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'remove_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'Oweg6l8unTQq589p50V7s054RXJq4WEK', 'add_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'remove_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'rDjezLX0kamorsGR5lQV9p441hDbLtaA', 'add_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'remove_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'Vr4Hagu9vcySNPukIRFfeyipMGRE0kSz', 'add_emXvL5ettkTFDIpveEG2ROojCyp5prWu'
Source: 11.2.RuntimeBroker.exe.a40000.0.unpack, mEd117s3i1y3NXTkHjayNJxPoi0MxkfX.csHigh entropy of concatenated method names: 'GetProcAddress', 'LoadLibrary', '.ctor', 'AuthenticateSql', 'cnnZSOqm1JMACSo6khOxfQFibDAfbW18', 'DgHV4PUuYWyBWD19EO5ApufIxJS0k1fh', 'J5l6ojP7U5zc84aeuGrDhGw6hmkctwCl', 'ektYpJC70hlYTPAfE3kDCpR8BlpiiFhH', 'pgs0MT1l5x7d2fSO316r3mhDh2Avw4PZ', 'Phy1aS3JrUfxfUemkxXMu1GzQRjCTOCz'
Source: 11.2.RuntimeBroker.exe.a40000.0.unpack, BveDohN1tdZy3GptXcUGn5MjUR1PrMun.csHigh entropy of concatenated method names: '.ctor', 'QNmsnAXgzilvDVaCimSEXueJm41z5ADG', 'L34KBAjUkurs9ZTlhzl1v4lYgY27JerK', 'tFkKaivFiA1CxOlEbaY67PYONXm55ISE', 'DH02aZKyOUFzG7M4nhy0dwCDye9g30yh', 'GvmpIrz1APpnHGx7r1iqLIUnaxpQHo87', 'YMhjL3By8iFz8b2EqWmaNdPW3YblG9AL', 'di70EEEAlZSKHlcc7wQYnVUcteLvkNkZ', 'IPX1XNkGNH3OJhvxKNxogqkSKg3uwmg1', 'PCEMkDLs2Cgyy8jIk86w38pMMXEGxa5c'
Source: 11.2.RuntimeBroker.exe.a40000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.csHigh entropy of concatenated method names: '.ctor', 'f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL', 'odzk9p94MT2SAzpNEvpGJPXIXBpKb78L', 'PpP1ZJ6vL5Rjf7JOtscM9GwrJK0FUBoE', 'hrj27DaUwuS0ibvOJ9hxCVzkl1el66em', 'a9yLePGXZQjjXdJeqiXxaXxmPUTkgRoO', 'j9NXRGsiY2KyDABDf9S5NccIdAr2MCb2', 'N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ', 'SetWindowsHookEx', 'CallNextHookEx'
Source: 14.0.RuntimeBroker.exe.d0000.0.unpack, LrWBaO7ADjUM1s0xQAUzgyDUihVGdQCX.csHigh entropy of concatenated method names: 'get_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'set_lJfBr94KfsV5uUQNMHRVsOyT8rOa7X54', 'SetCursorPos', 'mouse_event', 'mciSendString', 'get_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'set_a8GlkLCGniAAyHIn9ifMoIDEAAAC7wTk', 'BlockInput', 'SwapMouseButton', 'FindWindow'
Source: 14.0.RuntimeBroker.exe.d0000.0.unpack, Kt48EoHHuC6qR772XjyrdV9kaD0D0gGP.csHigh entropy of concatenated method names: '.ctor', 'f8LJ0uc9T4EXeUKuj6tcbvY5A8EpOGCL', 'odzk9p94MT2SAzpNEvpGJPXIXBpKb78L', 'PpP1ZJ6vL5Rjf7JOtscM9GwrJK0FUBoE', 'hrj27DaUwuS0ibvOJ9hxCVzkl1el66em', 'a9yLePGXZQjjXdJeqiXxaXxmPUTkgRoO', 'j9NXRGsiY2KyDABDf9S5NccIdAr2MCb2', 'N0IWj4joMYO22kylQTu0YBPX9JB2ghqQ', 'SetWindowsHookEx', 'CallNextHookEx'
Source: 14.0.RuntimeBroker.exe.d0000.0.unpack, rKyH6RiElynXjuPcpqtEpkP7QcvpRGhm.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'get_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'set_l6JNKUmxmrj9TkhsFiOa7txff7fwHWMw', 'DePPnhfoPURbeKaoGZ87IlCPgJLUqOAw', 'vMXFSQfFDrQEePRSb2Yl6edVxzcplo6b', 'kKM0FUXFsOU0xpNqBbiPR05qddSAqyhl', 'lme1LmY0vfI0FOiZyF4KPFB6gO80V5Wb', 'GZj2WaSCdgL28tduEgYbMuuaWfZyRJLy', 'XPZkS00WIzjl4YeYtkZuxVr4V6zeMHNg'
Source: 14.0.RuntimeBroker.exe.d0000.0.unpack, Uz6pmBgikQRQKMCQaOsConle7zbV4wJg.csHigh entropy of concatenated method names: 'add_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'remove_pef3g970wHRhnzobpujGp9uqy2c1GvKH', 'Oweg6l8unTQq589p50V7s054RXJq4WEK', 'add_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'remove_ZbOTigUgdy2dY8Vivx77jGIDTF27MwaC', 'rDjezLX0kamorsGR5lQV9p441hDbLtaA', 'add_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'remove_Ox57xdsvz5UkntBDe4HdG0LiAowjHhcZ', 'Vr4Hagu9vcySNPukIRFfeyipMGRE0kSz', 'add_emXvL5ettkTFDIpveEG2ROojCyp5prWu'
Source: 14.0.RuntimeBroker.exe.d0000.0.unpack, mEd117s3i1y3NXTkHjayNJxPoi0MxkfX.csHigh entropy of concatenated method names: 'GetProcAddress', 'LoadLibrary', '.ctor', 'AuthenticateSql', 'cnnZSOqm1JMACSo6khOxfQFibDAfbW18', 'DgHV4PUuYWyBWD19EO5ApufIxJS0k1fh', 'J5l6ojP7U5zc84aeuGrDhGw6hmkctwCl', 'ektYpJC70hlYTPAfE3kDCpR8BlpiiFhH', 'pgs0MT1l5x7d2fSO316r3mhDh2Avw4PZ', 'Phy1aS3JrUfxfUemkxXMu1GzQRjCTOCz'
Source: 14.0.RuntimeBroker.exe.d0000.0.unpack, BveDohN1tdZy3GptXcUGn5MjUR1PrMun.csHigh entropy of concatenated method names: '.ctor', 'QNmsnAXgzilvDVaCimSEXueJm41z5ADG', 'L34KBAjUkurs9ZTlhzl1v4lYgY27JerK', 'tFkKaivFiA1CxOlEbaY67PYONXm55ISE', 'DH02aZKyOUFzG7M4nhy0dwCDye9g30yh', 'GvmpIrz1APpnHGx7r1iqLIUnaxpQHo87', 'YMhjL3By8iFz8b2EqWmaNdPW3YblG9AL', 'di70EEEAlZSKHlcc7wQYnVUcteLvkNkZ', 'IPX1XNkGNH3OJhvxKNxogqkSKg3uwmg1', 'PCEMkDLs2Cgyy8jIk86w38pMMXEGxa5c'
Source: C:\Users\user\Desktop\CyneroS.exeFile created: C:\Users\user\AppData\Roaming\Updates\RuntimeBroker.exeJump to dropped file
Source: C:\Users\user\Desktop\CyneroS.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker.exeJump to behavior
Source: C:\Users\user\Desktop\CyneroS.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker.exeJump to behavior