{"C2 url": "bumblebee2021.store:80|trusmileveneers.store:80|lazerprojekt.store:80", "Bot Id": "118"}
Source: 0.3.kMroyG6lXZ.exe.7242d0.1.raw.unpack | Malware Configuration Extractor: RedLine {"C2 url": "bumblebee2021.store:80|trusmileveneers.store:80|lazerprojekt.store:80", "Bot Id": "118"} |
Source: kMroyG6lXZ.exe | Virustotal: Detection: 28% | Perma Link |
Source: kMroyG6lXZ.exe | ReversingLabs: Detection: 36% |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Unpacked PE file: 0.2.kMroyG6lXZ.exe.400000.0.unpack |
Source: kMroyG6lXZ.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | File opened: C:\Windows\SysWOW64\msvcr100.dll | Jump to behavior |
Source: | Binary string: _.pdb source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp |
Source: | Binary string: System.ServiceModel.pdbH source: kMroyG6lXZ.exe, 00000000.00000002.489292260.0000000000777000.00000004.00000001.sdmp |
Source: | Binary string: System.ServiceModel.pdb source: kMroyG6lXZ.exe, 00000000.00000002.489292260.0000000000777000.00000004.00000001.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: kMroyG6lXZ.exe, 00000000.00000002.488981394.000000000070D000.00000004.00000001.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: kMroyG6lXZ.exe, 00000000.00000002.488981394.000000000070D000.00000004.00000001.sdmp |
Source: unknown | DNS traffic detected: query: bumblebee2021.store replaycode: Name error (3) |
Source: unknown | DNS traffic detected: queries for: bumblebee2021.store |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://bumblebee2021.store |
Source: kMroyG6lXZ.exe, 00000000.00000002.490778554.0000000002558000.00000004.00000001.sdmp | String found in binary or memory: http://bumblebee2021.store(hr |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp, kMroyG6lXZ.exe, 00000000.00000002.490752046.000000000254E000.00000004.00000001.sdmp | String found in binary or memory: http://bumblebee2021.store// |
Source: kMroyG6lXZ.exe, 00000000.00000002.490752046.000000000254E000.00000004.00000001.sdmp | String found in binary or memory: http://bumblebee2021.store4 |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://bumblebee2021.store:80// |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp, kMroyG6lXZ.exe, 00000000.00000002.490778554.0000000002558000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/ |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp, kMroyG6lXZ.exe, 00000000.00000002.490778554.0000000002558000.00000004.00000001.sdmp | String found in binary or memory: http://tempuri.org/ |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://tempuri.org/0 |
Source: kMroyG6lXZ.exe, 00000000.00000002.490752046.000000000254E000.00000004.00000001.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/GetArguments |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsResponse |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequest |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestResponse |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate |
Source: kMroyG6lXZ.exe, 00000000.00000002.490688944.0000000002501000.00000004.00000001.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse |
Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp | String found in binary or memory: https://api.ip.sb/geoipAppData |
Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp | String found in binary or memory: https://api.ipify.org |
Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp | String found in binary or memory: https://icanhazip.com5https://wtfismyip.com/textChttp://bot.whatismyipaddress.com/3http://checkip.dy |
Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp | String found in binary or memory: https://ipinfo.io/ip%appdata% |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00408C60 | 0_2_00408C60 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0040DC11 | 0_2_0040DC11 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00407C3F | 0_2_00407C3F |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00418CCC | 0_2_00418CCC |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00406CA0 | 0_2_00406CA0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_004028B0 | 0_2_004028B0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0041A4BE | 0_2_0041A4BE |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00418244 | 0_2_00418244 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00401650 | 0_2_00401650 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00402F20 | 0_2_00402F20 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_004193C4 | 0_2_004193C4 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00418788 | 0_2_00418788 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00402F89 | 0_2_00402F89 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00402B90 | 0_2_00402B90 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_004073A0 | 0_2_004073A0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00437040 | 0_2_00437040 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00437C30 | 0_2_00437C30 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00439D7C | 0_2_00439D7C |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0043792B | 0_2_0043792B |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_004365D1 | 0_2_004365D1 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00436AFC | 0_2_00436AFC |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_004376B0 | 0_2_004376B0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0043570B | 0_2_0043570B |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_02082B00 | 0_2_02082B00 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_02087856 | 0_2_02087856 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_020818A0 | 0_2_020818A0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_02083170 | 0_2_02083170 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_020989D8 | 0_2_020989D8 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_020831D9 | 0_2_020831D9 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0208DE61 | 0_2_0208DE61 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_02087E8F | 0_2_02087E8F |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_02088EB0 | 0_2_02088EB0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_02086EF0 | 0_2_02086EF0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0209A70E | 0_2_0209A70E |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_02098F1C | 0_2_02098F1C |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_020877C2 | 0_2_020877C2 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_02098494 | 0_2_02098494 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_02082DE0 | 0_2_02082DE0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_022ADB28 | 0_2_022ADB28 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_022AF4D0 | 0_2_022AF4D0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_022ACDF0 | 0_2_022ACDF0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: String function: 0040E1D8 appears 44 times | |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: String function: 0208E428 appears 44 times | |
Source: kMroyG6lXZ.exe | Static PE information: Resource name: RT_VERSION type: COM executable for DOS |
Source: kMroyG6lXZ.exe | Binary or memory string: OriginalFilename vs kMroyG6lXZ.exe |
Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenamePristane.exe4 vs kMroyG6lXZ.exe |
Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp | Binary or memory string: OriginalFilename_.dll4 vs kMroyG6lXZ.exe |
Source: kMroyG6lXZ.exe, 00000000.00000002.495636457.00000000058F0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs kMroyG6lXZ.exe |
Source: kMroyG6lXZ.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE |
Source: kMroyG6lXZ.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine | Classification label: mal96.troj.spyw.evad.winEXE@1/0@103/1 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, | 0_2_004019F0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, | 0_2_004019F0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Command line argument: 08A | 0_2_00413780 |
Source: kMroyG6lXZ.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: kMroyG6lXZ.exe | Virustotal: Detection: 28% |
Source: kMroyG6lXZ.exe | ReversingLabs: Detection: 36% |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | File opened: C:\Windows\SysWOW64\msvcr100.dll | Jump to behavior |
Source: | Binary string: _.pdb source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp |
Source: | Binary string: System.ServiceModel.pdbH source: kMroyG6lXZ.exe, 00000000.00000002.489292260.0000000000777000.00000004.00000001.sdmp |
Source: | Binary string: System.ServiceModel.pdb source: kMroyG6lXZ.exe, 00000000.00000002.489292260.0000000000777000.00000004.00000001.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: kMroyG6lXZ.exe, 00000000.00000002.488981394.000000000070D000.00000004.00000001.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: kMroyG6lXZ.exe, 00000000.00000002.488981394.000000000070D000.00000004.00000001.sdmp |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Unpacked PE file: 0.2.kMroyG6lXZ.exe.400000.0.unpack .text:ER;.data:W;.tls:W;.new:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R; |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Unpacked PE file: 0.2.kMroyG6lXZ.exe.400000.0.unpack |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, | 0_2_004019F0 |
Source: kMroyG6lXZ.exe | Static PE information: section name: .new |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0041C40C push cs; iretd | 0_2_0041C4E2 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00423149 push eax; ret | 0_2_00423179 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0041C50E push cs; iretd | 0_2_0041C4E2 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_004231C8 push eax; ret | 0_2_00423179 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0040E21D push ecx; ret | 0_2_0040E230 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0041C6BE push ebx; ret | 0_2_0041C6BF |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0209C10E push ebx; ret | 0_2_0209C10F |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0209BE5C push cs; iretd | 0_2_0209BF32 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0209BF5E push cs; iretd | 0_2_0209BF32 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0208E46D push ecx; ret | 0_2_0208E480 |
Source: initial sample | Static PE information: section name: .text entropy: 7.72713604414 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, | 0_2_004019F0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe TID: 5900 | Thread sleep count: 80 > 30 | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe TID: 5900 | Thread sleep time: -80000s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Last function: Thread delayed |
Source: kMroyG6lXZ.exe, 00000000.00000002.495636457.00000000058F0000.00000002.00000001.sdmp | Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. |
Source: kMroyG6lXZ.exe, 00000000.00000002.495636457.00000000058F0000.00000002.00000001.sdmp | Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. |
Source: kMroyG6lXZ.exe, 00000000.00000002.495636457.00000000058F0000.00000002.00000001.sdmp | Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. |
Source: kMroyG6lXZ.exe, 00000000.00000002.489327919.0000000000784000.00000004.00000001.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: kMroyG6lXZ.exe, 00000000.00000002.495636457.00000000058F0000.00000002.00000001.sdmp | Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service. |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_0040CE09 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, | 0_2_004019F0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, | 0_2_004019F0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0208092B mov eax, dword ptr fs:[00000030h] | 0_2_0208092B |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_02080D90 mov eax, dword ptr fs:[00000030h] | 0_2_02080D90 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0040ADB0 GetProcessHeap,HeapFree, | 0_2_0040ADB0 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_0040CE09 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_0040E61C |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_00416F6A |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_004123F1 SetUnhandledExceptionFilter, | 0_2_004123F1 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0208D059 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_0208D059 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_0208E86C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, | 0_2_0208E86C |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_020971BA __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, | 0_2_020971BA |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_02092641 SetUnhandledExceptionFilter, | 0_2_02092641 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: kMroyG6lXZ.exe, 00000000.00000002.489438816.0000000000C70000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: kMroyG6lXZ.exe, 00000000.00000002.489438816.0000000000C70000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: kMroyG6lXZ.exe, 00000000.00000002.489438816.0000000000C70000.00000002.00000001.sdmp | Binary or memory string: SProgram Managerl |
Source: kMroyG6lXZ.exe, 00000000.00000002.489438816.0000000000C70000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd, |
Source: kMroyG6lXZ.exe, 00000000.00000002.489438816.0000000000C70000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: GetLocaleInfoA, | 0_2_00417A20 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: MapViewOfFile,RaiseException,LCMapStringA,GetLocaleInfoW,RegCreateKeyW, | 0_2_00433B40 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: GetLocaleInfoA, | 0_2_02097C70 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Code function: 0_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, | 0_2_00412A15 |
Source: C:\Users\user\Desktop\kMroyG6lXZ.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Source: Yara match | File source: 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.224645228.0000000000724000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.490498068.00000000023B0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.491643531.0000000003505000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.490137711.0000000002170000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: kMroyG6lXZ.exe PID: 4944, type: MEMORY |
Source: Yara match | File source: 0.3.kMroyG6lXZ.exe.7242d0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.21ed976.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.23b0000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.21eca8e.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.3523550.9.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.23b0000.6.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.21eca8e.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.3523550.9.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.3505530.8.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.21ed976.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.kMroyG6lXZ.exe.7242d0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.3506418.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.3506418.7.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.3505530.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.2170000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.2170ee8.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.2170ee8.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.2170000.3.raw.unpack, type: UNPACKEDPE |
Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp | String found in binary or memory: ElectrumRule |
Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp | String found in binary or memory: JaxxRule |
Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp | String found in binary or memory: Exodus+\Exodus\exodus.wallet |
Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp | String found in binary or memory: Ethereum#\Ethereum\wallets |
Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp | String found in binary or memory: ExodusRule |
Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp | String found in binary or memory: EthereumRule |
Source: kMroyG6lXZ.exe, 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp | String found in binary or memory: set_UseMachineKeyStore |
Source: Yara match | File source: 00000000.00000002.490258905.00000000021AC000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.224645228.0000000000724000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.490498068.00000000023B0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.491643531.0000000003505000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.490137711.0000000002170000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: kMroyG6lXZ.exe PID: 4944, type: MEMORY |
Source: Yara match | File source: 0.3.kMroyG6lXZ.exe.7242d0.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.21ed976.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.23b0000.6.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.21eca8e.4.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.3523550.9.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.23b0000.6.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.21eca8e.4.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.3523550.9.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.3505530.8.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.21ed976.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.3.kMroyG6lXZ.exe.7242d0.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.3506418.7.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.3506418.7.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.3505530.8.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.2170000.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.2170ee8.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.2170ee8.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.kMroyG6lXZ.exe.2170000.3.raw.unpack, type: UNPACKEDPE |