Windows Analysis Report
6Ek4nfs2y1.exe

Overview

General Information

Sample name: 6Ek4nfs2y1.exe
renamed because original name is a hash value
Original sample name: c2d87b5b3c906a6725f420ee3e5cb28a81bcc756b1935d6875578bbc73978687.exe
Analysis ID: 1467001
MD5: 21ccb2cd9a4fbc259ab1110bc687b960
SHA1: 10d68517383a76dd23e172c1f02a74cadf104b34
SHA256: c2d87b5b3c906a6725f420ee3e5cb28a81bcc756b1935d6875578bbc73978687
Tags: exe
Infos:

Detection

PhoenixKeylogger, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected PhoenixKeylogger
Yara detected PureLog Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe ReversingLabs: Detection: 70%
Multi AV Scanner detection for submitted file
Source: 6Ek4nfs2y1.exe ReversingLabs: Detection: 70%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 6Ek4nfs2y1.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 6Ek4nfs2y1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.10.178:443 -> 192.168.2.10:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.178:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.178:443 -> 192.168.2.10:49711 version: TLS 1.2
Source: 6Ek4nfs2y1.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 6Ek4nfs2y1.exe, 00000000.00000002.1317117099.0000000007BB0000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.0000000002A98000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 6Ek4nfs2y1.exe, 00000000.00000002.1317117099.0000000007BB0000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.0000000002A98000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /Qlnxkam.dat HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Qlnxkam.dat HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Qlnxkam.dat HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ifconfig.meConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ifconfig.meConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ifconfig.meConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.118.44 34.117.118.44
Source: Joe Sandbox View IP Address: 34.117.118.44 34.117.118.44
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ifconfig.me
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /Qlnxkam.dat HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Qlnxkam.dat HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Qlnxkam.dat HTTP/1.1Host: nexoproducciones.clConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ifconfig.meConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ifconfig.meConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ifconfig.meConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: nexoproducciones.cl
Source: global traffic DNS traffic detected: DNS query: ifconfig.me
Source: 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000002FEA000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.000000000342C000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.000000000341B000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002E14000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ifconfig.me
Source: 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.0000000003361000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002D51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ifconfig.me/ip
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002841000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000002FDA000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.00000000025F1000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.000000000341B000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002841000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.00000000025F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nexoproducciones.cl
Source: 6Ek4nfs2y1.exe, Qulzerug.exe.0.dr String found in binary or memory: https://nexoproducciones.cl/Qlnxkam.dat
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nexoproducciones.cl/Qlnxkam.datt
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.00000000029E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 104.21.10.178:443 -> 192.168.2.10:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.178:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.10.178:443 -> 192.168.2.10:49711 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected PhoenixKeylogger
Source: Yara match File source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.1506650120.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2506617896.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2507975182.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1519866057.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2509279792.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7912, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 7536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 1384, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 12.2.Qulzerug.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 00000009.00000002.1506650120.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 0000000B.00000002.1519866057.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 0000000D.00000002.2495878153.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000C.00000002.2495830056.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: Process Memory Space: Qulzerug.exe PID: 7536, type: MEMORYSTR Matched rule: Phoenix/404KeyLogger keylogger payload Author: ditekSHen
Source: Process Memory Space: Qulzerug.exe PID: 1384, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 0_2_084DDA70 0_2_084DDA70
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 0_2_084C0040 0_2_084C0040
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 0_2_084C0006 0_2_084C0006
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_0158B341 8_2_0158B341
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_01588670 8_2_01588670
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_01584B58 8_2_01584B58
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_01587A58 8_2_01587A58
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_0158DD60 8_2_0158DD60
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_01587DA0 8_2_01587DA0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE76F8 8_2_06AE76F8
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AEB6F0 8_2_06AEB6F0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AEAE38 8_2_06AEAE38
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE6E30 8_2_06AE6E30
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE2648 8_2_06AE2648
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE7FC0 8_2_06AE7FC0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE5CA0 8_2_06AE5CA0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE0DB0 8_2_06AE0DB0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE6568 8_2_06AE6568
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AEA2B8 8_2_06AEA2B8
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AED258 8_2_06AED258
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE4250 8_2_06AE4250
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE1B90 8_2_06AE1B90
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE53D8 8_2_06AE53D8
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE4B10 8_2_06AE4B10
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE8880 8_2_06AE8880
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE3988 8_2_06AE3988
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE99F0 8_2_06AE99F0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE9148 8_2_06AE9148
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE76E8 8_2_06AE76E8
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AEB6E1 8_2_06AEB6E1
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AEAE23 8_2_06AEAE23
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE6E20 8_2_06AE6E20
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE2637 8_2_06AE2637
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE7FB0 8_2_06AE7FB0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE2F02 8_2_06AE2F02
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE2F10 8_2_06AE2F10
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE1CA8 8_2_06AE1CA8
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE1C99 8_2_06AE1C99
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE5C90 8_2_06AE5C90
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE0DA1 8_2_06AE0DA1
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE6558 8_2_06AE6558
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AEA2AA 8_2_06AEA2AA
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE4AFF 8_2_06AE4AFF
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AED24A 8_2_06AED24A
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE4240 8_2_06AE4240
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE53CA 8_2_06AE53CA
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE886F 8_2_06AE886F
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE99E0 8_2_06AE99E0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE9138 8_2_06AE9138
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06AE397A 8_2_06AE397A
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06B7AA30 8_2_06B7AA30
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06B7DCB0 8_2_06B7DCB0
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06B70040 8_2_06B70040
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06B786EE 8_2_06B786EE
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06B70006 8_2_06B70006
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 9_2_0863DA70 9_2_0863DA70
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 9_2_08620040 9_2_08620040
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 9_2_08620006 9_2_08620006
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 11_2_0809DA70 11_2_0809DA70
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 11_2_0808000A 11_2_0808000A
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 11_2_08080040 11_2_08080040
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_0161B341 12_2_0161B341
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_01618670 12_2_01618670
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_01617A58 12_2_01617A58
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_0161DD60 12_2_0161DD60
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_01617DA0 12_2_01617DA0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_0161DD57 12_2_0161DD57
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D5B6F0 12_2_06D5B6F0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D576F8 12_2_06D576F8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D52648 12_2_06D52648
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D56E30 12_2_06D56E30
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D5AE38 12_2_06D5AE38
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D57FC0 12_2_06D57FC0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D55CA0 12_2_06D55CA0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D50DB0 12_2_06D50DB0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D56568 12_2_06D56568
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D5A2B8 12_2_06D5A2B8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D54250 12_2_06D54250
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D5D258 12_2_06D5D258
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D553D8 12_2_06D553D8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D51B90 12_2_06D51B90
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D54B10 12_2_06D54B10
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D58880 12_2_06D58880
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D599F0 12_2_06D599F0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D53988 12_2_06D53988
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D59148 12_2_06D59148
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D576EF 12_2_06D576EF
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D5B6EB 12_2_06D5B6EB
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D52643 12_2_06D52643
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D56E25 12_2_06D56E25
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D5AE2F 12_2_06D5AE2F
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D57FB3 12_2_06D57FB3
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D52F10 12_2_06D52F10
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D52F03 12_2_06D52F03
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D55C93 12_2_06D55C93
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D51CA3 12_2_06D51CA3
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D51CA8 12_2_06D51CA8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D50DAB 12_2_06D50DAB
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D56558 12_2_06D56558
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D54AFF 12_2_06D54AFF
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D5A2B3 12_2_06D5A2B3
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D5424B 12_2_06D5424B
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D5D24B 12_2_06D5D24B
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D553D3 12_2_06D553D3
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D5887B 12_2_06D5887B
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D599EB 12_2_06D599EB
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D53983 12_2_06D53983
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D59143 12_2_06D59143
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DEDCB0 12_2_06DEDCB0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DEAA30 12_2_06DEAA30
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DE0040 12_2_06DE0040
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DEB1A3 12_2_06DEB1A3
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DE0007 12_2_06DE0007
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_0102B341 13_2_0102B341
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_01028670 13_2_01028670
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_01027A58 13_2_01027A58
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_0102DD60 13_2_0102DD60
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_01027DA0 13_2_01027DA0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D76F8 13_2_068D76F8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068DB6F0 13_2_068DB6F0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068DAE38 13_2_068DAE38
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D6E30 13_2_068D6E30
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D2648 13_2_068D2648
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D7FC0 13_2_068D7FC0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D5CA0 13_2_068D5CA0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D0DB0 13_2_068D0DB0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D6568 13_2_068D6568
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068DA2B8 13_2_068DA2B8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068DD258 13_2_068DD258
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D4250 13_2_068D4250
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D1B90 13_2_068D1B90
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D53D8 13_2_068D53D8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D4B10 13_2_068D4B10
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D8880 13_2_068D8880
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D3988 13_2_068D3988
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D99F0 13_2_068D99F0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D9148 13_2_068D9148
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D76E8 13_2_068D76E8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068DB6E1 13_2_068DB6E1
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D6E20 13_2_068D6E20
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068DAE23 13_2_068DAE23
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D2637 13_2_068D2637
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D7FB0 13_2_068D7FB0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D2F03 13_2_068D2F03
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D2F10 13_2_068D2F10
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D1C99 13_2_068D1C99
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D5C90 13_2_068D5C90
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D1CA8 13_2_068D1CA8
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D0DA1 13_2_068D0DA1
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D6558 13_2_068D6558
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068DA2AB 13_2_068DA2AB
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D4AFF 13_2_068D4AFF
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068DD24A 13_2_068DD24A
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D4240 13_2_068D4240
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D53CB 13_2_068D53CB
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D886F 13_2_068D886F
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D99E0 13_2_068D99E0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D9138 13_2_068D9138
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_068D3977 13_2_068D3977
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_0696AA30 13_2_0696AA30
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_0696DCB0 13_2_0696DCB0
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_06960040 13_2_06960040
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 13_2_06960006 13_2_06960006
Sample file is different than original file name gathered from version info
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.00000000028A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1317117099.0000000007BB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamek.exe$ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1310836981.00000000075A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameLxkfkqeij.dll" vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000000.1242378149.0000000000592000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWzkyuqq.exe0 vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWzkyuqq.exe0 vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamek.exe$ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006441000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLxkfkqeij.dll" vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1287144477.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe, 00000008.00000002.2496879435.0000000000DA7000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs 6Ek4nfs2y1.exe
Source: 6Ek4nfs2y1.exe Binary or memory string: OriginalFilenameWzkyuqq.exe0 vs 6Ek4nfs2y1.exe
Uses 32bit PE files
Source: 6Ek4nfs2y1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 12.2.Qulzerug.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 00000009.00000002.1506650120.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 0000000B.00000002.1519866057.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 0000000D.00000002.2495878153.000000000040E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000C.00000002.2495830056.0000000000418000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: Process Memory Space: Qulzerug.exe PID: 7536, type: MEMORYSTR Matched rule: MALWARE_Win_Phoenix author = ditekSHen, description = Phoenix/404KeyLogger keylogger payload, clamav_sig = MALWARE.Win.Trojan.Phoenix-Keylogger
Source: Process Memory Space: Qulzerug.exe PID: 1384, type: MEMORYSTR Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/4@2/2
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe File created: C:\Users\user\AppData\Roaming\Qulzerug.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Mutant created: NULL
Source: 6Ek4nfs2y1.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 6Ek4nfs2y1.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000003080000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.0000000003090000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000008.00000002.2507975182.000000000309E000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.00000000034C5000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000C.00000002.2509279792.00000000034B5000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002EB4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2506617896.0000000002EC2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 6Ek4nfs2y1.exe ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe File read: C:\Users\user\Desktop\6Ek4nfs2y1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\6Ek4nfs2y1.exe "C:\Users\user\Desktop\6Ek4nfs2y1.exe"
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process created: C:\Users\user\Desktop\6Ek4nfs2y1.exe "C:\Users\user\Desktop\6Ek4nfs2y1.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe"
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe"
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe"
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process created: C:\Users\user\Desktop\6Ek4nfs2y1.exe "C:\Users\user\Desktop\6Ek4nfs2y1.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe" Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Section loaded: userenv.dll
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 6Ek4nfs2y1.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 6Ek4nfs2y1.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 6Ek4nfs2y1.exe, 00000000.00000002.1317117099.0000000007BB0000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.0000000002A98000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 6Ek4nfs2y1.exe, 00000000.00000002.1317117099.0000000007BB0000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002C3A000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002EF7000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.0000000002A98000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006B3E000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1316623407.0000000007B10000.00000004.08000000.00040000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006860000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1552321721.0000000006900000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1571676303.00000000064EF000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 6Ek4nfs2y1.exe, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: Qulzerug.exe.0.dr, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.6Ek4nfs2y1.exe.7b10000.14.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.6Ek4nfs2y1.exe.7b10000.14.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.6Ek4nfs2y1.exe.7b10000.14.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.6Ek4nfs2y1.exe.7b10000.14.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.6Ek4nfs2y1.exe.7b10000.14.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.6Ek4nfs2y1.exe.2d3b804.3.raw.unpack, -.cs .Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.6Ek4nfs2y1.exe.6b660c0.7.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.6Ek4nfs2y1.exe.6b660c0.7.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.6Ek4nfs2y1.exe.6b660c0.7.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.6Ek4nfs2y1.exe.6b660c0.7.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.6Ek4nfs2y1.exe.6b660c0.7.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.5860000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.4a24a70.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6a9e080.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Qulzerug.exe.644f058.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.2e59a88.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.2b9c980.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.49fca50.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.2b9c980.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Qulzerug.exe.29485bc.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.2e59a88.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Qulzerug.exe.29485bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.687f060.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.687f060.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6660040.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1299183493.0000000005860000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1552321721.00000000067C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1571676303.0000000006230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1288077227.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1300542157.0000000006441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 0_2_084C30D8 push esi; retn 0000h 0_2_084C30D9
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 0_2_084C61B6 push cs; iretd 0_2_084C61B7
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_015850DE pushad ; retf 8_2_015850E4
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06B7E2BF push es; iretd 8_2_06B7E324
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06B72FE2 push es; iretd 8_2_06B72FF4
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06B77BD9 push 8BFFFFFFh; retf 8_2_06B77BDF
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06B7E332 push es; iretd 8_2_06B7E324
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06B7573F push 8B000003h; iretd 8_2_06B75744
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06B7E320 push es; iretd 8_2_06B7E324
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_06B7E840 push es; ret 8_2_06B7E850
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 9_2_086230D8 push esi; retn 0000h 9_2_086230D9
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 9_2_086261B6 push cs; iretd 9_2_086261B7
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 11_2_080830D8 push esi; retn 0000h 11_2_080830D9
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 11_2_080861B6 push cs; iretd 11_2_080861B7
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_01612F2E push es; ret 12_2_01612ED5
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D50C78 pushad ; ret 12_2_06D50D02
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06D50C69 pushad ; ret 12_2_06D50C6A
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DE2ECB push es; retf 12_2_06DE2F78
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DE2E74 push es; retf 12_2_06DE2F78
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DEF608 push esi; ret 12_2_06DEFB36
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DE2F4B push es; retf 12_2_06DE2F78
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DE2F79 push es; iretd 12_2_06DE2FF4
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DE573D push 8B000003h; iretd 12_2_06DE5744
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DEFCD3 push edi; ret 12_2_06DEFCDA
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DEFCE0 push edi; ret 12_2_06DEFD3A
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DEF5A8 push esp; ret 12_2_06DEF5FA
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DEC50B push es; ret 12_2_06DEC514
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DEC508 pushfd ; ret 12_2_06DEC509
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DE3D09 push es; iretd 12_2_06DE3D0C
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DEFD3B push edi; ret 12_2_06DEFD42
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Code function: 12_2_06DEE26F push es; iretd 12_2_06DEE324
Drops PE files
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe File created: C:\Users\user\AppData\Roaming\Qulzerug.exe Jump to dropped file
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Qulzerug Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Qulzerug Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.00000000029B8000.00000004.00000800.00020000.00000000.sdmp, 6Ek4nfs2y1.exe, 00000000.00000002.1288077227.0000000002AE7000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1506650120.0000000002DA4000.00000004.00000800.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Memory allocated: 26D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Memory allocated: 2840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Memory allocated: 4840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Memory allocated: 6440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Memory allocated: 7440000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Memory allocated: 1580000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Memory allocated: 2F20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Memory allocated: 4F20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 2930000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 2AF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 4AF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 65A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 75A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 25F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 45F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 6010000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 7010000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 1610000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 3360000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 1840000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 1020000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 2D50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Memory allocated: 10D0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Window / User API: threadDelayed 1634 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Window / User API: threadDelayed 4691 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Window / User API: threadDelayed 2332 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Window / User API: threadDelayed 7484 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Window / User API: threadDelayed 1607 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Window / User API: threadDelayed 3786 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -19369081277395017s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7464 Thread sleep count: 1634 > 30 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7456 Thread sleep count: 4691 > 30 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -99765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -99437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -99219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -99109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -98891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -98779s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -98588s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -98484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -98375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -98266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -98156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -98047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -97937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -97828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -97718s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -97606s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -97500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -97390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -97257s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -97156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -97047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -96935s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7436 Thread sleep time: -96828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe TID: 7392 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -35048813740048126s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8124 Thread sleep count: 2332 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8124 Thread sleep count: 7484 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -99868s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -99719s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -99610s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -99485s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -99360s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -99235s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -99101s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -98985s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -98860s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -98735s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -98610s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -98485s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -98360s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -98235s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -98106s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -98000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -97889s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -97782s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -97657s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -97532s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -97407s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -97297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -97188s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -97063s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -96938s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -96813s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -96688s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -96578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -96469s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -96344s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -96234s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -96125s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -96016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -95906s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -95780s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -95672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -95563s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -95438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -95313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -95203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -95094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -94969s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -94860s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -94736s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -94592s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -94485s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 8096 Thread sleep time: -94375s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 6956 Thread sleep count: 1607 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 6956 Thread sleep count: 3786 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -99874s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -99765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -99438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -99328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -99219s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -99094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -98985s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -98860s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -98735s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -98610s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -98485s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -98360s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -98235s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -98110s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -97954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -97806s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -97685s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -97557s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -97438s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -97313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -97188s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -97078s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 7212 Thread sleep time: -96957s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe TID: 6704 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 99765 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 99219 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 99109 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 99000 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 98891 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 98779 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 98588 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 98484 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 98375 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 98266 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 98156 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 98047 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 97937 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 97828 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 97718 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 97606 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 97500 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 97390 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 97257 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 97156 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 97047 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 96935 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 96828 Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99868 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99719 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99610 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99485 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99360 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99235 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99101 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98985 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98860 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98735 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98610 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98485 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98360 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98235 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98106 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97889 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97782 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97657 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97532 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97407 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97297 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97188 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97063 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 96938 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 96813 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 96688 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 96578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 96469 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 96344 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 96234 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 96125 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 96016 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 95906 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 95780 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 95672 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 95563 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 95438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 95313 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 95203 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 95094 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 94969 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 94860 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 94736 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 94592 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 94485 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 94375 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99874 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99765 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99219 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 99094 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98985 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98860 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98735 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98610 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98485 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98360 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98235 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 98110 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97954 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97806 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97685 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97557 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97438 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97313 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97188 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 97078 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 96957 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: Qulzerug.exe, 0000000B.00000002.1519866057.000000000289B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: 6Ek4nfs2y1.exe, 00000008.00000002.2501007282.000000000138F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
Source: Qulzerug.exe, 0000000D.00000002.2504913703.0000000001255000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qemuV
Source: 6Ek4nfs2y1.exe, 00000000.00000002.1287219825.0000000000BF2000.00000004.00000020.00020000.00000000.sdmp, Qulzerug.exe, 00000009.00000002.1501370521.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Qulzerug.exe, 0000000B.00000002.1510861203.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, Qulzerug.exe, 0000000D.00000002.2500946506.000000000122D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Qulzerug.exe, 0000000C.00000002.2500217975.0000000001675000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Code function: 8_2_0158DD60 LdrInitializeThunk, 8_2_0158DD60
Enables debug privileges
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Process created: C:\Users\user\Desktop\6Ek4nfs2y1.exe "C:\Users\user\Desktop\6Ek4nfs2y1.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Process created: C:\Users\user\AppData\Roaming\Qulzerug.exe "C:\Users\user\AppData\Roaming\Qulzerug.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Queries volume information: C:\Users\user\Desktop\6Ek4nfs2y1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Queries volume information: C:\Users\user\Desktop\6Ek4nfs2y1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Users\user\AppData\Roaming\Qulzerug.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Users\user\AppData\Roaming\Qulzerug.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Users\user\AppData\Roaming\Qulzerug.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Users\user\AppData\Roaming\Qulzerug.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected PhoenixKeylogger
Source: Yara match File source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.1506650120.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2506617896.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2507975182.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1519866057.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2509279792.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7912, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 7536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 1384, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 9.2.Qulzerug.exe.3af9550.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.75a0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.4714720.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6660040.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.3af9550.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.75a0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.687f060.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.687f060.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6660040.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1571676303.0000000006230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1310836981.00000000075A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1526328229.0000000003AF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1300542157.0000000006441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\6Ek4nfs2y1.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\Qulzerug.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 0000000D.00000002.2506617896.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2507975182.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2509279792.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7912, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 7536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 1384, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PhoenixKeylogger
Source: Yara match File source: 9.2.Qulzerug.exe.4a24a70.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Qulzerug.exe.65aced8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.49fca50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6bfbf00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Qulzerug.exe.65d4ef8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6c23f20.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Qulzerug.exe.65670b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6bb60e0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.1506650120.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1288077227.0000000002D74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2506617896.0000000002EC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2507975182.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1552321721.00000000069BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1519866057.0000000002B1A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2509279792.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1571676303.0000000006567000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1300542157.0000000006BB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1537011731.0000000003DDA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1290493842.0000000004026000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7364, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6Ek4nfs2y1.exe PID: 7912, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 8060, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 1816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 7536, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Qulzerug.exe PID: 1384, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 9.2.Qulzerug.exe.3af9550.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.75a0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.4714720.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6660040.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.3af9550.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.75a0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.687f060.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.687f060.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.Qulzerug.exe.4714720.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.6Ek4nfs2y1.exe.6660040.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1571676303.0000000006230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1526328229.0000000004714000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1310836981.00000000075A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1526328229.0000000003AF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1300542157.0000000006441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467001 Sample: 6Ek4nfs2y1.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 32 nexoproducciones.cl 2->32 34 ifconfig.me 2->34 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected PureLog Stealer 2->48 50 7 other signatures 2->50 7 6Ek4nfs2y1.exe 16 5 2->7         started        12 Qulzerug.exe 14 3 2->12         started        14 Qulzerug.exe 2 2->14         started        signatures3 process4 dnsIp5 36 nexoproducciones.cl 104.21.10.178, 443, 49704, 49706 CLOUDFLARENETUS United States 7->36 24 C:\Users\user\AppData\Roaming\Qulzerug.exe, PE32 7->24 dropped 26 C:\Users\...\Qulzerug.exe:Zone.Identifier, ASCII 7->26 dropped 28 C:\Users\user\AppData\...\6Ek4nfs2y1.exe.log, ASCII 7->28 dropped 52 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->52 16 6Ek4nfs2y1.exe 2 7->16         started        54 Multi AV Scanner detection for dropped file 12->54 56 Machine Learning detection for dropped file 12->56 20 Qulzerug.exe 12->20         started        22 Qulzerug.exe 14->22         started        file6 signatures7 process8 dnsIp9 30 ifconfig.me 34.117.118.44, 49705, 49712, 49713 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 16->30 38 Tries to steal Mail credentials (via file / registry access) 22->38 40 Tries to harvest and steal ftp login credentials 22->40 42 Tries to harvest and steal browser information (history, passwords, etc) 22->42 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.118.44
 ifconfig.me United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.21.10.178
 nexoproducciones.cl United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
nexoproducciones.cl 104.21.10.178 true
ifconfig.me 34.117.118.44 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ifconfig.me/ip false
  • Avira URL Cloud: safe
 unknown
https://nexoproducciones.cl/Qlnxkam.dat false
  • Avira URL Cloud: safe
 unknown