{"Campaign ID": "SPRINGLES", "Version": "0.7d", "Install Name": "server.exe", "Install Dir": "TEMP", "Registry Value": "79c06ef4ef423d882819c4e66285ec85", "Host": "185.140.53.71", "Port": "3429", "Network Seprator": "|'|'|", "Install Flag": "False"}
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe | Avira: detection malicious, Label: TR/Dropper.Gen7 |
Source: 1.0.12_pgr.exe.ee0000.0.unpack | Malware Configuration Extractor: Njrat {"Campaign ID": "SPRINGLES", "Version": "0.7d", "Install Name": "server.exe", "Install Dir": "TEMP", "Registry Value": "79c06ef4ef423d882819c4e66285ec85", "Host": "185.140.53.71", "Port": "3429", "Network Seprator": "|'|'|", "Install Flag": "False"} |
Source: Yara match | File source: 12_pgr.exe, type: SAMPLE |
Source: Yara match | File source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 12_pgr.exe PID: 6756, type: MEMORY |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED |
Source: Yara match | File source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe | Joe Sandbox ML: detected |
Source: 1.0.12_pgr.exe.ee0000.0.unpack | Avira: Label: TR/Dropper.Gen7 |
Source: 1.2.12_pgr.exe.ee0000.0.unpack | Avira: Label: TR/Dropper.Gen7 |
Source: 12_pgr.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: C:\Users\user\Desktop\12_pgr.exe | File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll | Jump to behavior |
Source: 12_pgr.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: Traffic | Snort IDS: 2021176 ET TROJAN Bladabindi/njRAT CnC Command (ll) 192.168.2.4:49734 -> 185.140.53.71:3429 |
Source: Malware configuration extractor | URLs: 185.140.53.71 |
Source: global traffic | TCP traffic: 192.168.2.4:49734 -> 185.140.53.71:3429 |
Source: Joe Sandbox View | ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.140.53.71 |
Source: 12_pgr.exe, kl.cs | .Net Code: VKCodeToUnicode |
Source: 79c06ef4ef423d882819c4e66285ec85.exe.1.dr, kl.cs | .Net Code: VKCodeToUnicode |
Source: 1.0.12_pgr.exe.ee0000.0.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: 1.2.12_pgr.exe.ee0000.0.unpack, kl.cs | .Net Code: VKCodeToUnicode |
Source: Yara match | File source: 12_pgr.exe, type: SAMPLE |
Source: Yara match | File source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 12_pgr.exe PID: 6756, type: MEMORY |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED |
Source: Yara match | File source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE |
Source: 12_pgr.exe, type: SAMPLE | Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: 12_pgr.exe, type: SAMPLE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 12_pgr.exe, type: SAMPLE | Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED | Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED | Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE | Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE | Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE | Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth |
Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE | Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter |
Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE | Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group |
Source: 12_pgr.exe, 00000001.00000002.920058520.0000000005EB0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs 12_pgr.exe |
Source: 12_pgr.exe, 00000001.00000002.920027771.0000000005E90000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamemsvfw32.dll.muij% vs 12_pgr.exe |
Source: 12_pgr.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: 12_pgr.exe, type: SAMPLE | Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 12_pgr.exe, type: SAMPLE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 12_pgr.exe, type: SAMPLE | Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000001.00000000.652636362.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 00000001.00000002.918510318.0000000000EE2000.00000002.00020000.sdmp, type: MEMORY | Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED | Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe, type: DROPPED | Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE | Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 1.0.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE | Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE | Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE | Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net |
Source: 1.2.12_pgr.exe.ee0000.0.unpack, type: UNPACKEDPE | Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan |
Source: classification engine | Classification label: mal100.troj.adwa.spyw.evad.winEXE@4/3@0/1 |
Source: C:\Users\user\Desktop\12_pgr.exe | Code function: 1_2_057E282E AdjustTokenPrivileges, | 1_2_057E282E |
Source: C:\Users\user\Desktop\12_pgr.exe | Code function: 1_2_057E27F7 AdjustTokenPrivileges, | 1_2_057E27F7 |
Source: C:\Users\user\Desktop\12_pgr.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_01 |
Source: C:\Users\user\Desktop\12_pgr.exe | Mutant created: \Sessions\1\BaseNamedObjects\79c06ef4ef423d882819c4e66285ec85 |
Source: C:\Users\user\Desktop\12_pgr.exe | Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking |
Source: 12_pgr.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\12_pgr.exe | Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\12_pgr.exe 'C:\Users\user\Desktop\12_pgr.exe' | |
Source: C:\Users\user\Desktop\12_pgr.exe | Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLE | |
Source: C:\Windows\SysWOW64\netsh.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\12_pgr.exe | Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLE | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 | Jump to behavior |
Source: 12_pgr.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: C:\Users\user\Desktop\12_pgr.exe | File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll | Jump to behavior |
Source: 12_pgr.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: 12_pgr.exe, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 79c06ef4ef423d882819c4e66285ec85.exe.1.dr, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 1.0.12_pgr.exe.ee0000.0.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 1.2.12_pgr.exe.ee0000.0.unpack, OK.cs | .Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: C:\Users\user\Desktop\12_pgr.exe | Code function: 1_2_00EE5021 push cs; ret | 1_2_00EE5022 |
Source: C:\Users\user\Desktop\12_pgr.exe | Code function: 1_2_05C30773 push es; ret | 1_2_05C30776 |
Source: C:\Users\user\Desktop\12_pgr.exe | Code function: 1_2_05C31F74 push ds; ret | 1_2_05C31F7A |
Source: C:\Users\user\Desktop\12_pgr.exe | Code function: 1_2_05C30778 push es; ret | 1_2_05C3077A |
Source: C:\Users\user\Desktop\12_pgr.exe | Code function: 1_2_05C30F7F push cs; ret | 1_2_05C30F82 |
Source: C:\Users\user\Desktop\12_pgr.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\12_pgr.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\12_pgr.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe\:Zone.Identifier:$DATA | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\12_pgr.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\12_pgr.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: 12_pgr.exe, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 12_pgr.exe, kl.cs | Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32') |
Source: 79c06ef4ef423d882819c4e66285ec85.exe.1.dr, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 79c06ef4ef423d882819c4e66285ec85.exe.1.dr, kl.cs | Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32') |
Source: 1.0.12_pgr.exe.ee0000.0.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 1.0.12_pgr.exe.ee0000.0.unpack, kl.cs | Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32') |
Source: 1.2.12_pgr.exe.ee0000.0.unpack, OK.cs | Reference to suspicious API methods: ('capGetDriverDescriptionA', 'capGetDriverDescriptionA@avicap32.dll') |
Source: 1.2.12_pgr.exe.ee0000.0.unpack, kl.cs | Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll'), ('GetAsyncKeyState', 'GetAsyncKeyState@user32') |
Source: 12_pgr.exe, 00000001.00000002.918571397.00000000012FA000.00000004.00000001.sdmp | Binary or memory string: Program Manager |
Source: 12_pgr.exe, 00000001.00000002.918933058.0000000001C30000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: 12_pgr.exe, 00000001.00000002.918933058.0000000001C30000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: 12_pgr.exe, 00000001.00000002.918933058.0000000001C30000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: 12_pgr.exe, 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmp | Binary or memory string: Program Manager|9 |
Source: 12_pgr.exe, 00000001.00000002.919369600.0000000003545000.00000004.00000001.sdmp | Binary or memory string: Program Manager< |
Source: C:\Users\user\Desktop\12_pgr.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\netsh.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Code function: 1_2_057E0776 GetUserNameW, | 1_2_057E0776 |
Source: C:\Users\user\Desktop\12_pgr.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Source: C:\Users\user\Desktop\12_pgr.exe | Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLE |
Source: C:\Users\user\Desktop\12_pgr.exe | Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram 'C:\Users\user\Desktop\12_pgr.exe' '12_pgr.exe' ENABLE |