Click to jump to signature section
| Source: SyfCbCNRRU.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Source: | Binary string: F:\Desktop V500\important\CSharp-RunPE-master\RunPE\obj\Debug\SeaCyanPul.pdb source: SyfCbCNRRU.exe, 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, SyfCbCNRRU.exe, 00000000.00000002.268240261.0000000004FD0000.00000004.08000000.00040000.00000000.sdmp |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4x nop then jmp 012A4610h | 1_2_012A41F8 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4x nop then jmp 012A3825h | 1_2_012A2D38 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4x nop then jmp 012A3EC9h | 1_2_012A3C08 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4x nop then jmp 012A4610h | 1_2_012A41E9 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4x nop then jmp 012AF2F1h | 1_2_012AF03C |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h | 1_2_012A288B |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4x nop then jmp 012AFBA1h | 1_2_012AF8E8 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4x nop then jmp 012AE5E9h | 1_2_012AE330 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4x nop then jmp 012AEE99h | 1_2_012AEBE0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h | 1_2_012A2A6D |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h | 1_2_012A2258 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4x nop then jmp 012A4610h | 1_2_012A453E |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4x nop then jmp 012AF749h | 1_2_012AF48F |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 4x nop then jmp 012AEA41h | 1_2_012AE787 |
| Source: Yara match | File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 0.2.SyfCbCNRRU.exe.2899404.2.raw.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 0.2.SyfCbCNRRU.exe.27bbbd0.1.raw.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 0.2.SyfCbCNRRU.exe.27b859c.0.raw.unpack, type: UNPACKEDPE |
| Source: SyfCbCNRRU.exe, 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.520992752.0000000000402000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: http://checkip.dyndns.org/q |
| Source: SyfCbCNRRU.exe | String found in binary or memory: http://edstarcoordinator.com/api.asmx/GetSystems |
| Source: SyfCbCNRRU.exe, 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.520992752.0000000000402000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: https://api.telegram.org/bot |
| Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenSteak.cs | .Net Code: TakeScreenshot |
| Source: SyfCbCNRRU.exe, 00000000.00000002.265275088.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> | |
| Source: 0.2.SyfCbCNRRU.exe.2899404.2.unpack, type: UNPACKEDPE | Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
| Source: 0.2.SyfCbCNRRU.exe.2899404.2.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
| Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
| Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
| Source: 0.2.SyfCbCNRRU.exe.2899404.2.raw.unpack, type: UNPACKEDPE | Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
| Source: 0.2.SyfCbCNRRU.exe.2899404.2.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
| Source: 0.2.SyfCbCNRRU.exe.27bbbd0.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
| Source: 0.2.SyfCbCNRRU.exe.27bbbd0.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
| Source: 0.2.SyfCbCNRRU.exe.27b859c.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects executables with potential process hoocking Author: ditekSHen |
| Source: 0.2.SyfCbCNRRU.exe.27b859c.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
| Source: 00000001.00000002.520992752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
| Source: 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
| Source: Process Memory Space: SyfCbCNRRU.exe PID: 7040, type: MEMORYSTR | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
| Source: Process Memory Space: RegAsm.exe PID: 5124, type: MEMORYSTR | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown |
| Source: 0.2.SyfCbCNRRU.exe.2899404.2.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
| Source: 0.2.SyfCbCNRRU.exe.2899404.2.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
| Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
| Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
| Source: 0.2.SyfCbCNRRU.exe.2899404.2.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
| Source: 0.2.SyfCbCNRRU.exe.2899404.2.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
| Source: 0.2.SyfCbCNRRU.exe.27bbbd0.1.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
| Source: 0.2.SyfCbCNRRU.exe.27bbbd0.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
| Source: 0.2.SyfCbCNRRU.exe.27b859c.0.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking |
| Source: 0.2.SyfCbCNRRU.exe.27b859c.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
| Source: 00000001.00000002.520992752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
| Source: 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
| Source: Process Memory Space: SyfCbCNRRU.exe PID: 7040, type: MEMORYSTR | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
| Source: Process Memory Space: RegAsm.exe PID: 5124, type: MEMORYSTR | Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23 |
| Source: SyfCbCNRRU.exe, 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSeaCyanPul.dll" vs SyfCbCNRRU.exe |
| Source: SyfCbCNRRU.exe, 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameKrakenStub.exe6 vs SyfCbCNRRU.exe |
| Source: SyfCbCNRRU.exe, 00000000.00000003.256112733.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameDataBasePracticalJob.dllJ vs SyfCbCNRRU.exe |
| Source: SyfCbCNRRU.exe, 00000000.00000002.267014370.00000000037D4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameDataBasePracticalJob.dllJ vs SyfCbCNRRU.exe |
| Source: SyfCbCNRRU.exe, 00000000.00000000.255167077.00000000004FE000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameRareCommodityHelper.exeH vs SyfCbCNRRU.exe |
| Source: SyfCbCNRRU.exe, 00000000.00000002.267865549.0000000004E80000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameDataBasePracticalJob.dllJ vs SyfCbCNRRU.exe |
| Source: SyfCbCNRRU.exe, 00000000.00000002.265275088.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs SyfCbCNRRU.exe |
| Source: SyfCbCNRRU.exe, 00000000.00000002.268240261.0000000004FD0000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameSeaCyanPul.dll" vs SyfCbCNRRU.exe |
| Source: SyfCbCNRRU.exe | Binary or memory string: OriginalFilenameRareCommodityHelper.exeH vs SyfCbCNRRU.exe |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Code function: 0_2_0275F9B0 | 0_2_0275F9B0 |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Code function: 0_2_027550C0 | 0_2_027550C0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012AA9C8 | 1_2_012AA9C8 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012AB2A9 | 1_2_012AB2A9 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012A2D38 | 1_2_012A2D38 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012A3C08 | 1_2_012A3C08 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012A66B8 | 1_2_012A66B8 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012AF03C | 1_2_012AF03C |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012AF8E8 | 1_2_012AF8E8 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012AE330 | 1_2_012AE330 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012AABE8 | 1_2_012AABE8 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012AEBE0 | 1_2_012AEBE0 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012A2230 | 1_2_012A2230 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012AA230 | 1_2_012AA230 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012AA240 | 1_2_012AA240 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012A2258 | 1_2_012A2258 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012A1469 | 1_2_012A1469 |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012AF48F | 1_2_012AF48F |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Code function: 1_2_012AE787 | 1_2_012AE787 |
| Source: SyfCbCNRRU.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80% | |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
| Source: unknown | Process created: C:\Users\user\Desktop\SyfCbCNRRU.exe C:\Users\user\Desktop\SyfCbCNRRU.exe | |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Jump to behavior |
| Source: SyfCbCNRRU.exe, RareCommodityHelper/MainForm.cs | Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
| Source: 0.0.SyfCbCNRRU.exe.4c0000.0.unpack, RareCommodityHelper/MainForm.cs | Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
| Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenDumpedList.cs | Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock' |
| Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenSteak.cs | Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock' |
| Source: SyfCbCNRRU.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
| Source: | Binary string: F:\Desktop V500\important\CSharp-RunPE-master\RunPE\obj\Debug\SeaCyanPul.pdb source: SyfCbCNRRU.exe, 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, SyfCbCNRRU.exe, 00000000.00000002.268240261.0000000004FD0000.00000004.08000000.00040000.00000000.sdmp |
| Source: SyfCbCNRRU.exe, PathNode.cs | .Net Code: ANTR3ND0 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
| Source: 0.0.SyfCbCNRRU.exe.4c0000.0.unpack, PathNode.cs | .Net Code: ANTR3ND0 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenSteak.cs | Reference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll') |
| Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/FFDecryptor.cs | Reference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll') |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Queries volume information: C:\Users\user\Desktop\SyfCbCNRRU.exe VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\SyfCbCNRRU.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation | Jump to behavior |
| Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation | Jump to behavior |
| Source: Yara match | File source: 0.2.SyfCbCNRRU.exe.2899404.2.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 0.2.SyfCbCNRRU.exe.2899404.2.raw.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 0.2.SyfCbCNRRU.exe.27bbbd0.1.raw.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 0.2.SyfCbCNRRU.exe.27b859c.0.raw.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 00000001.00000002.520992752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match | File source: 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match | File source: Process Memory Space: SyfCbCNRRU.exe PID: 7040, type: MEMORYSTR |
| Source: Yara match | File source: Process Memory Space: RegAsm.exe PID: 5124, type: MEMORYSTR |
Edit tour
SyfCbCNRRU.exe (PID: 7040 cmdline: 
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node