Windows Analysis Report
7sAylAXBOb.exe

Overview

General Information

Sample name: 7sAylAXBOb.exe
renamed because original name is a hash value
Original sample name: c634f44560fe43def439cbf47ba668dfee9905d2e5cae1bac2789e59f82e8526.exe
Analysis ID: 1467010
MD5: 85179ac6aec3b32a40b06f35cfc6594b
SHA1: 6700b84fa70c4b5ccab8688db32ac71a2aafeeb6
SHA256: c634f44560fe43def439cbf47ba668dfee9905d2e5cae1bac2789e59f82e8526
Tags: exe
Infos:

Detection

Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to resolve many domain names, but no domain seems valid
Connects to many different domains
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Executes massive DNS lookups (> 100)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 7sAylAXBOb.exe Avira: detected
Antivirus detection for dropped file
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Avira: detection malicious, Label: TR/Nivdort.Gen2
Multi AV Scanner detection for dropped file
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe ReversingLabs: Detection: 86%
Source: C:\zqzhokrkxswikv\gyyuuofs.exe ReversingLabs: Detection: 86%
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe ReversingLabs: Detection: 86%
Multi AV Scanner detection for submitted file
Source: 7sAylAXBOb.exe ReversingLabs: Detection: 91%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Joe Sandbox ML: detected
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Joe Sandbox ML: detected
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 7sAylAXBOb.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Code function: 2_2_00E4BA80 GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom, 2_2_00E4BA80
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Code function: 3_2_0078BA80 GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom, 3_2_0078BA80
Uses 32bit PE files
Source: 7sAylAXBOb.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 7sAylAXBOb.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_00655250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00655250
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Code function: 2_2_00E45250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_00E45250
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Code function: 3_2_00785250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose, 3_2_00785250
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 4_2_00E35250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose, 4_2_00E35250
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 13_2_00FF5250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose, 13_2_00FF5250

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2815568 ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort 192.168.2.9:49706 -> 77.247.183.155:80
Source: Traffic Snort IDS: 2018316 ET TROJAN Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses 1.1.1.1:53 -> 192.168.2.9:50077
Source: Traffic Snort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 34.246.200.160:80 -> 192.168.2.9:49710
Source: Traffic Snort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 3.94.10.34:80 -> 192.168.2.9:49711
Source: Traffic Snort IDS: 2811542 ETPRO TROJAN Possible Tinba DGA NXDOMAIN Responses (net) 1.1.1.1:53 -> 192.168.2.9:58330
Source: Traffic Snort IDS: 2037771 ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst 44.221.84.105:80 -> 192.168.2.9:53875
Source: Traffic Snort IDS: 2815568 ETPRO TROJAN Terse HTTP 1.0 Request Possible Nivdort 192.168.2.9:53879 -> 77.247.183.155:80
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: familywhose.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: cigarettewithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: eithercomplete.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: machinewithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: familyprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: machinenature.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: childrenwagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: englisharound.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: foreignwelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: personwithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: expectwagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: familybicycle.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: eitherbridge.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: becauseprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: personprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: foreignenough.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: expectcomplete.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: suddenwithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: personnature.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: rightkitchen.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: englishkitchen.net replaycode: Server failure (2)
Source: unknown DNS traffic detected: query: becausecomplete.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: becauseenough.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: becausenature.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: machineprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: eitherbicycle.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: expectgovern.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: foreignwithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: rightprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: englishwelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: whetheraround.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: suddengovern.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: rightproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: familyexcept.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: childrenprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: englishwithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: eitheraround.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: eitherwhose.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: figurecomplete.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: rightwagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: picturewelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: machinearound.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: familywagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: expectkitchen.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: persongovern.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: foreignkitchen.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: rightcomplete.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: familywelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: expectwelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: pictureprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: whetherwithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: eitherwelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: figurewelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: personneedle.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: machinewagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: becauseneedle.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: suddenwagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: pictureproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: thoughwithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: cigarettearound.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: foreignnature.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: englishbicycle.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: eitherwagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: suddenwelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: expectaround.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: foreignneedle.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: familycomplete.net replaycode: Server failure (2)
Source: unknown DNS traffic detected: query: englishcomplete.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: englishexcept.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: whetherprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: eitherkitchen.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: childrencomplete.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: eitherproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: personcomplete.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: eitherexcept.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: childrenaround.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: personproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: suddenaround.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: becauseproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: becausewelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: whethernature.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: picturekitchen.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: englishwagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: thougharound.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: rightwithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: machinewelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: cigarettewhose.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: picturewithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: rightwelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: suddenproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: thoughwagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: personwagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: becausewithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: expectnature.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: childrenbridge.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: thoughkitchen.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: cigaretteproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: personwelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: whethercomplete.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: rightaround.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: foreigncomplete.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: personaround.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: machinegovern.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: cigaretteprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: familywithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: thoughcomplete.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: suddenenough.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: picturearound.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: machineenough.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: expectenough.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: figureproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: familyproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: expectneedle.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: eitherprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: becausegovern.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: figureprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: cigarettewagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: englishwhose.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: personkitchen.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: machinekitchen.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: suddennature.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: picturewagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: foreignprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: foreigngovern.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: eitherwithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: whetherkitchen.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: childrenwithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: whetherwagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: machineproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: picturecomplete.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: becausearound.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: thoughwelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: suddenkitchen.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: childrenproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: suddenprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: figurewagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: childrenkitchen.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: childrenwhose.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: familyaround.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: personenough.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: figurearound.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: childrenexcept.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: cigarettekitchen.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: thoughproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: suddenneedle.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: foreignwagon.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: cigarettewelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: foreignproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: becausekitchen.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: englishprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: whetherwelcome.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: expectprobable.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: expectwithout.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: machineneedle.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: whetherproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: figurekitchen.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: machinecomplete.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: expectproud.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: cigarettecomplete.net replaycode: Name error (3)
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 170
Executes massive DNS lookups (> 100)
Source: global traffic DNS traffic detected: number of DNS queries: 170
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: familybridge.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: childrenbicycle.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: englishbridge.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: becausewagon.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: figurewithout.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughprobable.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: familykitchen.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: suddencomplete.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: englishproud.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: familybridge.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: childrenbicycle.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: englishbridge.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: becausewagon.net
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.86.6.113 52.86.6.113
Source: Joe Sandbox View IP Address: 52.86.6.113 52.86.6.113
Source: Joe Sandbox View IP Address: 34.205.242.146 34.205.242.146
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View ASN Name: NFORCENL NFORCENL
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_00640D90 socket,setsockopt,gethostbyname,inet_ntoa,inet_addr,htons,connect,send,recv,recv,closesocket, 0_2_00640D90
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: familybridge.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: childrenbicycle.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: englishbridge.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: becausewagon.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: figurewithout.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughprobable.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: familykitchen.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: suddencomplete.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: englishproud.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: familybridge.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: childrenbicycle.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: englishbridge.net
Source: global traffic HTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: becausewagon.net
Source: global traffic DNS traffic detected: DNS query: cigarettewhose.net
Source: global traffic DNS traffic detected: DNS query: childrenexcept.net
Source: global traffic DNS traffic detected: DNS query: familyexcept.net
Source: global traffic DNS traffic detected: DNS query: childrenbridge.net
Source: global traffic DNS traffic detected: DNS query: familybridge.net
Source: global traffic DNS traffic detected: DNS query: childrenbicycle.net
Source: global traffic DNS traffic detected: DNS query: familybicycle.net
Source: global traffic DNS traffic detected: DNS query: childrenwhose.net
Source: global traffic DNS traffic detected: DNS query: familywhose.net
Source: global traffic DNS traffic detected: DNS query: eitherexcept.net
Source: global traffic DNS traffic detected: DNS query: englishexcept.net
Source: global traffic DNS traffic detected: DNS query: eitherbridge.net
Source: global traffic DNS traffic detected: DNS query: englishbridge.net
Source: global traffic DNS traffic detected: DNS query: eitherbicycle.net
Source: global traffic DNS traffic detected: DNS query: englishbicycle.net
Source: global traffic DNS traffic detected: DNS query: eitherwhose.net
Source: global traffic DNS traffic detected: DNS query: englishwhose.net
Source: global traffic DNS traffic detected: DNS query: expectwagon.net
Source: global traffic DNS traffic detected: DNS query: becausewagon.net
Source: global traffic DNS traffic detected: DNS query: expectwithout.net
Source: global traffic DNS traffic detected: DNS query: becausewithout.net
Source: global traffic DNS traffic detected: DNS query: expectkitchen.net
Source: global traffic DNS traffic detected: DNS query: becausekitchen.net
Source: global traffic DNS traffic detected: DNS query: expectprobable.net
Source: global traffic DNS traffic detected: DNS query: becauseprobable.net
Source: global traffic DNS traffic detected: DNS query: personwagon.net
Source: global traffic DNS traffic detected: DNS query: machinewagon.net
Source: global traffic DNS traffic detected: DNS query: personwithout.net
Source: global traffic DNS traffic detected: DNS query: machinewithout.net
Source: global traffic DNS traffic detected: DNS query: personkitchen.net
Source: global traffic DNS traffic detected: DNS query: machinekitchen.net
Source: global traffic DNS traffic detected: DNS query: personprobable.net
Source: global traffic DNS traffic detected: DNS query: machineprobable.net
Source: global traffic DNS traffic detected: DNS query: suddenwagon.net
Source: global traffic DNS traffic detected: DNS query: foreignwagon.net
Source: global traffic DNS traffic detected: DNS query: suddenwithout.net
Source: global traffic DNS traffic detected: DNS query: foreignwithout.net
Source: global traffic DNS traffic detected: DNS query: suddenkitchen.net
Source: global traffic DNS traffic detected: DNS query: foreignkitchen.net
Source: global traffic DNS traffic detected: DNS query: suddenprobable.net
Source: global traffic DNS traffic detected: DNS query: foreignprobable.net
Source: global traffic DNS traffic detected: DNS query: whetherwagon.net
Source: global traffic DNS traffic detected: DNS query: rightwagon.net
Source: global traffic DNS traffic detected: DNS query: whetherwithout.net
Source: global traffic DNS traffic detected: DNS query: rightwithout.net
Source: global traffic DNS traffic detected: DNS query: whetherkitchen.net
Source: global traffic DNS traffic detected: DNS query: rightkitchen.net
Source: global traffic DNS traffic detected: DNS query: whetherprobable.net
Source: global traffic DNS traffic detected: DNS query: rightprobable.net
Source: global traffic DNS traffic detected: DNS query: figurewagon.net
Source: global traffic DNS traffic detected: DNS query: thoughwagon.net
Source: global traffic DNS traffic detected: DNS query: figurewithout.net
Source: global traffic DNS traffic detected: DNS query: thoughwithout.net
Source: global traffic DNS traffic detected: DNS query: figurekitchen.net
Source: global traffic DNS traffic detected: DNS query: thoughkitchen.net
Source: global traffic DNS traffic detected: DNS query: figureprobable.net
Source: global traffic DNS traffic detected: DNS query: thoughprobable.net
Source: global traffic DNS traffic detected: DNS query: picturewagon.net
Source: global traffic DNS traffic detected: DNS query: cigarettewagon.net
Source: global traffic DNS traffic detected: DNS query: picturewithout.net
Source: global traffic DNS traffic detected: DNS query: cigarettewithout.net
Source: global traffic DNS traffic detected: DNS query: picturekitchen.net
Source: global traffic DNS traffic detected: DNS query: cigarettekitchen.net
Source: global traffic DNS traffic detected: DNS query: pictureprobable.net
Source: global traffic DNS traffic detected: DNS query: cigaretteprobable.net
Source: global traffic DNS traffic detected: DNS query: childrenwagon.net
Source: global traffic DNS traffic detected: DNS query: familywagon.net
Source: global traffic DNS traffic detected: DNS query: childrenwithout.net
Source: global traffic DNS traffic detected: DNS query: familywithout.net
Source: global traffic DNS traffic detected: DNS query: childrenkitchen.net
Source: global traffic DNS traffic detected: DNS query: familykitchen.net
Source: global traffic DNS traffic detected: DNS query: childrenprobable.net
Source: global traffic DNS traffic detected: DNS query: familyprobable.net
Source: global traffic DNS traffic detected: DNS query: eitherwagon.net
Source: global traffic DNS traffic detected: DNS query: englishwagon.net
Source: global traffic DNS traffic detected: DNS query: eitherwithout.net
Source: global traffic DNS traffic detected: DNS query: englishwithout.net
Source: global traffic DNS traffic detected: DNS query: eitherkitchen.net
Source: global traffic DNS traffic detected: DNS query: englishkitchen.net
Source: global traffic DNS traffic detected: DNS query: eitherprobable.net
Source: global traffic DNS traffic detected: DNS query: englishprobable.net
Source: global traffic DNS traffic detected: DNS query: expectwelcome.net
Source: global traffic DNS traffic detected: DNS query: becausewelcome.net
Source: global traffic DNS traffic detected: DNS query: expectaround.net
Source: global traffic DNS traffic detected: DNS query: becausearound.net
Source: global traffic DNS traffic detected: DNS query: expectproud.net
Source: global traffic DNS traffic detected: DNS query: becauseproud.net
Source: global traffic DNS traffic detected: DNS query: expectcomplete.net
Source: global traffic DNS traffic detected: DNS query: becausecomplete.net
Source: global traffic DNS traffic detected: DNS query: personwelcome.net
Source: global traffic DNS traffic detected: DNS query: machinewelcome.net
Source: global traffic DNS traffic detected: DNS query: personaround.net
Source: global traffic DNS traffic detected: DNS query: machinearound.net
Source: global traffic DNS traffic detected: DNS query: personproud.net
Source: global traffic DNS traffic detected: DNS query: machineproud.net
Source: global traffic DNS traffic detected: DNS query: personcomplete.net
Source: global traffic DNS traffic detected: DNS query: machinecomplete.net
Source: global traffic DNS traffic detected: DNS query: suddenwelcome.net
Source: global traffic DNS traffic detected: DNS query: foreignwelcome.net
Source: global traffic DNS traffic detected: DNS query: suddenaround.net
Source: nlsxqvtcr.exe, 0000000C.00000002.2589785877.00000000020DD000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://familybridge.net/index.php?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsI
Creates files inside the system directory
Source: C:\Users\user\Desktop\7sAylAXBOb.exe File created: C:\Windows\zqzhokrkxswikv\ Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe File created: C:\Windows\zqzhokrkxswikv\tpcbuesrb Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe File created: C:\Windows\zqzhokrkxswikv\tpcbuesrb Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe File created: C:\Windows\zqzhokrkxswikv\tpcbuesrb Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe File created: C:\Windows\zqzhokrkxswikv\tpcbuesrb Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe File created: C:\Windows\zqzhokrkxswikv\tpcbuesrb Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe File created: C:\Windows\zqzhokrkxswikv\tpcbuesrb Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe File created: C:\Windows\zqzhokrkxswikv\tpcbuesrb Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\7sAylAXBOb.exe File deleted: C:\Windows\zqzhokrkxswikv\tpcbuesrb Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_00650EE7 0_2_00650EE7
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_00650F01 0_2_00650F01
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_006497C0 0_2_006497C0
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Code function: 2_2_00E397C0 2_2_00E397C0
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Code function: 3_2_00780F01 3_2_00780F01
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Code function: 3_2_007797C0 3_2_007797C0
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 4_2_00E297C0 4_2_00E297C0
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 13_2_00FF0EE7 13_2_00FF0EE7
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 13_2_00FE97C0 13_2_00FE97C0
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 13_2_00FF0F01 13_2_00FF0F01
Uses 32bit PE files
Source: 7sAylAXBOb.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal96.troj.winEXE@13/5@202/9
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle, 0_2_00669A20
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle, 2_2_00E59A20
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle, 3_2_00799A20
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle, 4_2_00E49A20
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle, 13_2_01009A20
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_006625D5 CreateToolhelp32Snapshot,Module32First,CloseHandle,Process32Next,CloseHandle, 0_2_006625D5
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_00669A20 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle, 0_2_00669A20
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_0064BB60 StartServiceCtrlDispatcherA, 0_2_0064BB60
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Code function: 2_2_00E3BB60 StartServiceCtrlDispatcherA, 2_2_00E3BB60
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Code function: 3_2_0077BB60 StartServiceCtrlDispatcherA, 3_2_0077BB60
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 4_2_00E2BB60 StartServiceCtrlDispatcherA, 4_2_00E2BB60
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 13_2_00FEBB60 StartServiceCtrlDispatcherA, 13_2_00FEBB60
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Mutant created: NULL
Source: 7sAylAXBOb.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 7sAylAXBOb.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\Desktop\7sAylAXBOb.exe File read: C:\Users\user\Desktop\7sAylAXBOb.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\7sAylAXBOb.exe "C:\Users\user\Desktop\7sAylAXBOb.exe"
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Process created: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe "C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe"
Source: unknown Process created: C:\zqzhokrkxswikv\nlsxqvtcr.exe C:\zqzhokrkxswikv\nlsxqvtcr.exe
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Process created: C:\zqzhokrkxswikv\gyyuuofs.exe lbgkkmbemhiq "c:\zqzhokrkxswikv\nlsxqvtcr.exe"
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Process created: C:\zqzhokrkxswikv\nlsxqvtcr.exe "C:\zqzhokrkxswikv\nlsxqvtcr.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Process created: C:\zqzhokrkxswikv\nlsxqvtcr.exe "c:\zqzhokrkxswikv\nlsxqvtcr.exe"
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Process created: C:\zqzhokrkxswikv\gyyuuofs.exe lbgkkmbemhiq "c:\zqzhokrkxswikv\nlsxqvtcr.exe"
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Process created: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe "C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe" Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Process created: C:\zqzhokrkxswikv\nlsxqvtcr.exe "C:\zqzhokrkxswikv\nlsxqvtcr.exe" Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Process created: C:\zqzhokrkxswikv\gyyuuofs.exe lbgkkmbemhiq "c:\zqzhokrkxswikv\nlsxqvtcr.exe" Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Process created: C:\zqzhokrkxswikv\nlsxqvtcr.exe "c:\zqzhokrkxswikv\nlsxqvtcr.exe" Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Process created: C:\zqzhokrkxswikv\gyyuuofs.exe lbgkkmbemhiq "c:\zqzhokrkxswikv\nlsxqvtcr.exe" Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Section loaded: userenv.dll Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Section loaded: profapi.dll Jump to behavior
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: 7sAylAXBOb.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_00631338 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetEnvironmentVariableA,CreateMutexA,CreateMutexA,CreateMutexA,GetTickCount,GetCommandLineA,Sleep,Sleep,Sleep,GetModuleFileNameA,SetFileAttributesA,CopyFileA,SetFileAttributesA,SetFileAttributesA,GetCommandLineA,GetModuleFileNameA,LoadLibraryA,GetProcAddress,MessageBoxA,WSAStartup,CloseHandle,SetFileAttributesA,CopyFileA,SetFileAttributesA,Sleep,Sleep,SetFileAttributesA,CopyFileA,SetFileAttributesA,CreateThread,Sleep, 0_2_00631338
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_0064EF03 push ecx; iretd 0_2_0064EF10
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_006713F0 push eax; ret 0_2_00671404
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_006713F0 push eax; ret 0_2_0067142C
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Code function: 2_2_00E613F0 push eax; ret 2_2_00E61404
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Code function: 2_2_00E613F0 push eax; ret 2_2_00E6142C
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Code function: 2_2_00E3EF04 push ecx; iretd 2_2_00E3EF10
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Code function: 3_2_0077EF0A push ecx; iretd 3_2_0077EF10
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Code function: 3_2_007A13F0 push eax; ret 3_2_007A1404
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Code function: 3_2_007A13F0 push eax; ret 3_2_007A142C
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 4_2_00E513F0 push eax; ret 4_2_00E51404
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 4_2_00E513F0 push eax; ret 4_2_00E5142C
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 4_2_00E2EF04 push ecx; iretd 4_2_00E2EF10
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 13_2_010113F0 push eax; ret 13_2_01011404
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 13_2_010113F0 push eax; ret 13_2_0101142C
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 13_2_00FEEF0A push ecx; iretd 13_2_00FEEF10
Drops PE files
Source: C:\Users\user\Desktop\7sAylAXBOb.exe File created: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Jump to dropped file
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe File created: C:\zqzhokrkxswikv\nlsxqvtcr.exe Jump to dropped file
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe File created: C:\zqzhokrkxswikv\gyyuuofs.exe Jump to dropped file
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_00669A20 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle, 0_2_00669A20
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_00631338 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetEnvironmentVariableA,CreateMutexA,CreateMutexA,CreateMutexA,GetTickCount,GetCommandLineA,Sleep,Sleep,Sleep,GetModuleFileNameA,SetFileAttributesA,CopyFileA,SetFileAttributesA,SetFileAttributesA,GetCommandLineA,GetModuleFileNameA,LoadLibraryA,GetProcAddress,MessageBoxA,WSAStartup,CloseHandle,SetFileAttributesA,CopyFileA,SetFileAttributesA,Sleep,Sleep,SetFileAttributesA,CopyFileA,SetFileAttributesA,CreateThread,Sleep, 0_2_00631338
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle, 0_2_0063C260
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle, 2_2_00E2C260
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle, 3_2_0076C260
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle, 4_2_00E1C260
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle, 13_2_00FDC260
Contains functionality to query network adapater information
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary, 2_2_00E32C10
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,RtlAllocateHeap,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary, 3_2_00772C10
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Window / User API: threadDelayed 641 Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Window / User API: threadDelayed 1230 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe TID: 6572 Thread sleep time: -37774s >= -30000s Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe TID: 6988 Thread sleep count: 641 > 30 Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe TID: 6988 Thread sleep time: -641000s >= -30000s Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe TID: 6988 Thread sleep count: 1230 > 30 Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe TID: 6988 Thread sleep time: -1230000s >= -30000s Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe TID: 5428 Thread sleep count: 308 > 30 Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe TID: 5428 Thread sleep time: -15400000s >= -30000s Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe TID: 5428 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe TID: 4580 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\zqzhokrkxswikv\gyyuuofs.exe TID: 4580 Thread sleep time: -39000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Last function: Thread delayed
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Last function: Thread delayed
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Last function: Thread delayed
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Last function: Thread delayed
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_00655250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00655250
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Code function: 2_2_00E45250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_00E45250
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Code function: 3_2_00785250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose, 3_2_00785250
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 4_2_00E35250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose, 4_2_00E35250
Source: C:\zqzhokrkxswikv\gyyuuofs.exe Code function: 13_2_00FF5250 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose, 13_2_00FF5250
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Thread delayed: delay time: 50000 Jump to behavior
Source: akk3nwj1mabelfu4.exe, 00000002.00000002.1375176820.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, nlsxqvtcr.exe, 00000003.00000002.2155185204.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, nlsxqvtcr.exe, 0000000C.00000002.2589600492.0000000001487000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\7sAylAXBOb.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7sAylAXBOb.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7sAylAXBOb.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7sAylAXBOb.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7sAylAXBOb.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7sAylAXBOb.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7sAylAXBOb.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7sAylAXBOb.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\7sAylAXBOb.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\gyyuuofs.exe API call chain: ExitProcess graph end node
Source: C:\zqzhokrkxswikv\nlsxqvtcr.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_00631338 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetEnvironmentVariableA,CreateMutexA,CreateMutexA,CreateMutexA,GetTickCount,GetCommandLineA,Sleep,Sleep,Sleep,GetModuleFileNameA,SetFileAttributesA,CopyFileA,SetFileAttributesA,SetFileAttributesA,GetCommandLineA,GetModuleFileNameA,LoadLibraryA,GetProcAddress,MessageBoxA,WSAStartup,CloseHandle,SetFileAttributesA,CopyFileA,SetFileAttributesA,Sleep,Sleep,SetFileAttributesA,CopyFileA,SetFileAttributesA,CreateThread,Sleep, 0_2_00631338
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_00667D20 GetProcessHeap,RtlFreeHeap, 0_2_00667D20
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_006407D0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_006407D0
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_00667635 GetSystemTime,GetTickCount, 0_2_00667635
Source: C:\Users\user\Desktop\7sAylAXBOb.exe Code function: 0_2_006582D0 GetVersionExA,CreateDirectoryA,DeleteFileA,RemoveDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,GetTempPathA,CreateDirectoryA,GetTempPathA,SetFileAttributesA, 0_2_006582D0
Source: C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467010 Sample: 7sAylAXBOb.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 96 37 whetherwithout.net 2->37 39 whetherwelcome.net 2->39 41 172 other IPs or domains 2->41 57 Snort IDS alert for network traffic 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 3 other signatures 2->63 9 nlsxqvtcr.exe 10 2->9         started        14 7sAylAXBOb.exe 6 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 dnsIp5 45 familybridge.net 77.247.183.155, 49706, 53879, 80 NFORCENL Netherlands 9->45 47 thoughprobable.net 3.94.10.34, 49711, 80 AMAZON-AESUS United States 9->47 49 6 other IPs or domains 9->49 33 C:\zqzhokrkxswikv\gyyuuofs.exe, PE32 9->33 dropped 65 Antivirus detection for dropped file 9->65 67 Multi AV Scanner detection for dropped file 9->67 69 Machine Learning detection for dropped file 9->69 18 gyyuuofs.exe 4 9->18         started        35 C:\zqzhokrkxswikv\akk3nwj1mabelfu4.exe, PE32 14->35 dropped 21 akk3nwj1mabelfu4.exe 10 14->21         started        file6 signatures7 process8 file9 24 nlsxqvtcr.exe 8 18->24         started        31 C:\zqzhokrkxswikv\nlsxqvtcr.exe, PE32 21->31 dropped 51 Antivirus detection for dropped file 21->51 53 Multi AV Scanner detection for dropped file 21->53 55 Machine Learning detection for dropped file 21->55 27 nlsxqvtcr.exe 4 21->27         started        signatures10 process11 dnsIp12 43 hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com 52.86.6.113, 53881, 80 AMAZON-AESUS United States 24->43 29 gyyuuofs.exe 4 24->29         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.86.6.113
 hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com United States
14618 AMAZON-AESUS false
34.205.242.146
 hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com United States
14618 AMAZON-AESUS false
3.94.10.34
 thoughprobable.net United States
14618 AMAZON-AESUS true
77.247.183.155
 familybridge.net Netherlands
43350 NFORCENL true
34.246.200.160
 figurewithout.net United States
16509 AMAZON-02US true
44.221.84.105
 englishproud.net United States
14618 AMAZON-AESUS true
217.70.152.246
 childrenbicycle.net Italy
34081 SERVER24-ASINCUBATECGmbH-SrlIT false
15.197.192.55
 suddencomplete.net United States
7430 TANDEMUS false
3.64.163.50
 familykitchen.net United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
thoughprobable.net 3.94.10.34 true
suddencomplete.net 15.197.192.55 true
englishproud.net 44.221.84.105 true
hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com 52.86.6.113 true
figurewithout.net 34.246.200.160 true
childrenbicycle.net 217.70.152.246 true
familykitchen.net 3.64.163.50 true
hdr-nlb7-aebd5d615260636b.elb.us-east-1.amazonaws.com 34.205.242.146 true
familybridge.net 77.247.183.155 true
becausewagon.net 15.197.192.55 true
picturecomplete.net unknown unknown
becausekitchen.net unknown unknown
expectwagon.net unknown unknown
cigarettewelcome.net unknown unknown
englishwhose.net unknown unknown
rightkitchen.net unknown unknown
eitherexcept.net unknown unknown
machineenough.net unknown unknown
becausenature.net unknown unknown
foreignwithout.net unknown unknown
whetherwithout.net unknown unknown
rightwithout.net unknown unknown
suddenproud.net unknown unknown
cigarettewhose.net unknown unknown
familywhose.net unknown unknown
childrenprobable.net unknown unknown
eitherwhose.net unknown unknown
cigaretteproud.net unknown unknown
englisharound.net unknown unknown
childrenwelcome.net unknown unknown
englishwelcome.net unknown unknown
suddenenough.net unknown unknown
figureproud.net unknown unknown
foreignnature.net unknown unknown
whetherprobable.net unknown unknown
becausewelcome.net unknown unknown
thoughwelcome.net unknown unknown
becausewithout.net unknown unknown
eitheraround.net unknown unknown
personenough.net unknown unknown
becausegovern.net unknown unknown
childrenexcept.net unknown unknown
rightcomplete.net unknown unknown
foreigngovern.net unknown unknown
englishexcept.net unknown unknown
whethernature.net unknown unknown
foreignproud.net unknown unknown
personwithout.net unknown unknown
suddenwithout.net unknown unknown
thoughcomplete.net unknown unknown
becauseprobable.net unknown unknown
eitherbridge.net unknown unknown
personneedle.net unknown unknown
rightprobable.net unknown unknown
childrenkitchen.net unknown unknown
whetherproud.net unknown unknown
picturewithout.net unknown unknown
suddennature.net unknown unknown
personproud.net unknown unknown
familyproud.net unknown unknown
childrenproud.net unknown unknown
pictureproud.net unknown unknown
becausearound.net unknown unknown
eitherwagon.net unknown unknown
picturearound.net unknown unknown
familycomplete.net unknown unknown
cigaretteprobable.net unknown unknown
machineneedle.net unknown unknown
englishbridge.net unknown unknown
eithercomplete.net unknown unknown
thoughwagon.net unknown unknown
becauseproud.net unknown unknown
picturekitchen.net unknown unknown
familywelcome.net unknown unknown
foreigncomplete.net unknown unknown
familybicycle.net unknown unknown
englishprobable.net unknown unknown
expectneedle.net unknown unknown
machinewagon.net unknown unknown
personcomplete.net unknown unknown
machinecomplete.net unknown unknown
expectcomplete.net unknown unknown
whetheraround.net unknown unknown
foreignneedle.net unknown unknown
figureprobable.net unknown unknown
whetherwelcome.net unknown unknown
machinewelcome.net unknown unknown
rightproud.net unknown unknown
expectenough.net unknown unknown
englishkitchen.net unknown unknown
expectprobable.net unknown unknown
expectproud.net unknown unknown
persongovern.net unknown unknown
childrenbridge.net unknown unknown
figurekitchen.net unknown unknown
picturewelcome.net unknown unknown
suddengovern.net unknown unknown
familyaround.net unknown unknown
expectnature.net unknown unknown
machinewithout.net unknown unknown