Windows Analysis Report
QTmGYKK6SL.exe

Overview

General Information

Sample name: QTmGYKK6SL.exe
renamed because original name is a hash value
Original sample name: 190e4ed7759276e78d16398673996b2b.exe
Analysis ID: 1483438
MD5: 190e4ed7759276e78d16398673996b2b
SHA1: ce5bb936ab809356d5b0bc29b6be2e0d07d3dc0a
SHA256: d4e965deaaaa9d84359fbce89a2cb1966bca6bf525df8bbfb1ad9ed08df1daad
Tags: 64exetrojan
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Found Tor onion address
Machine Learning detection for dropped file
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious New Service Creation
Sigma detected: Suspicious Program Location with Network Connections
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains functionality to create new users
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://banana.incognet.io/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://reseed2.i2p.net/ Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Virustotal: Detection: 22% Perma Link
Multi AV Scanner detection for submitted file
Source: QTmGYKK6SL.exe Virustotal: Detection: 25% Perma Link
Source: QTmGYKK6SL.exe ReversingLabs: Detection: 23%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.2% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Joe Sandbox ML: detected

Compliance
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Unpacked PE file: 0.2.QTmGYKK6SL.exe.3420000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe File created: C:\Users\user\AppData\Local\Temp\installer.log Jump to behavior
Source: Binary string: RfxVmt.pdb source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp, main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000000E.00000003.1913857527.000002BAD3A5A000.00000004.00000020.00020000.00000000.sdmp, JcfQdL0z.14.dr
Source: Binary string: RfxVmt.pdbGCTL source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp, main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000000E.00000003.1913857527.000002BAD3A5A000.00000004.00000020.00020000.00000000.sdmp, JcfQdL0z.14.dr
Contains functionality to enumerate network shares
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE10246DAF NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree, 14_2_00007FFE10246DAF
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE10246DF3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree, 14_2_00007FFE10246DF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE11716DF3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree, 24_2_00007FFE11716DF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE11716DAF NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree, 24_2_00007FFE11716DAF
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FF7BACD47F3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 14_2_00007FF7BACD47F3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1024A0D3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 14_2_00007FFE1024A0D3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE11501883 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 14_2_00007FFE11501883
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE11EC5BF3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 14_2_00007FFE11EC5BF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE126D5253 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 14_2_00007FFE126D5253
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE13222FE3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 14_2_00007FFE13222FE3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1A455803 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 14_2_00007FFE1A455803
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE1171A0D3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 24_2_00007FFE1171A0D3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE11741883 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 24_2_00007FFE11741883
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE11775BF3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 24_2_00007FFE11775BF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE11EC5253 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 24_2_00007FFE11EC5253
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE126D2FE3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 24_2_00007FFE126D2FE3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE13205803 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 24_2_00007FFE13205803

Networking
barindex
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 45.8.98.78 ports 19063,0,1,3,6,9
Source: global traffic TCP traffic: 204.8.84.94 ports 20578,0,2,5,7,8
Source: global traffic TCP traffic: 68.148.96.106 ports 12385,1,2,3,5,8
Source: global traffic TCP traffic: 82.165.57.155 ports 27813,1,2,3,7,8
Source: global traffic TCP traffic: 24.177.113.51 ports 1,2,4,5,6,15624
Source: global traffic TCP traffic: 73.62.1.179 ports 17850,0,1,5,7,8
Source: global traffic TCP traffic: 186.28.6.171 ports 15230,0,1,2,3,5
Found Tor onion address
Source: QTmGYKK6SL.exe, 00000001.00000003.1843557253.0000000004466000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003A2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: main.exe String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: main.exe, 0000000E.00000002.2481168941.000002BAD4B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: main.exe, 0000000E.00000002.2482562172.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: main.exe String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,ht
Source: main.exe, 00000018.00000002.2935551559.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: main.exe, 00000018.00000002.2933918140.00000156D4C3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Source: update.pkg.3.dr String found in binary or memory: https://reseed2.i2p.net/,https://reseed.diva.exchange/,https://reseed-fr.i2pd.xyz/,https://reseed.memcpy.io/,https://reseed.onion.im/,https://i2pseed.creativecowpat.net:8443/,https://reseed.i2pgit.org/,https://banana.incognet.io/,https://reseed-pl.i2pd.xyz/,https://www2.mk16.de/,https://i2p.ghativega.in/,https://i2p.novg.net/
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 16
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 91.92.250.213:1110
Source: global traffic TCP traffic: 192.168.2.4:63482 -> 119.13.124.67:29762
Source: global traffic TCP traffic: 192.168.2.4:63483 -> 91.224.234.189:50444
Source: global traffic TCP traffic: 192.168.2.4:63484 -> 74.80.57.188:24372
Source: global traffic TCP traffic: 192.168.2.4:63485 -> 45.8.98.78:19063
Source: global traffic TCP traffic: 192.168.2.4:63486 -> 67.166.47.100:15536
Source: global traffic TCP traffic: 192.168.2.4:63487 -> 5.64.137.68:11737
Source: global traffic TCP traffic: 192.168.2.4:63488 -> 186.28.6.171:15230
Source: global traffic TCP traffic: 192.168.2.4:63489 -> 99.252.52.199:17541
Source: global traffic TCP traffic: 192.168.2.4:63490 -> 204.8.84.94:20578
Source: global traffic TCP traffic: 192.168.2.4:63491 -> 68.148.96.106:12385
Source: global traffic TCP traffic: 192.168.2.4:63492 -> 24.177.113.51:15624
Source: global traffic TCP traffic: 192.168.2.4:63504 -> 184.185.247.130:9859
Source: global traffic TCP traffic: 192.168.2.4:63506 -> 91.149.237.69:26412
Source: global traffic TCP traffic: 192.168.2.4:63509 -> 81.6.45.56:33834
Source: global traffic TCP traffic: 192.168.2.4:63510 -> 73.62.1.179:17850
Source: global traffic TCP traffic: 192.168.2.4:63511 -> 70.18.38.5:28737
Source: global traffic TCP traffic: 192.168.2.4:63512 -> 82.165.57.155:27813
Source: global traffic TCP traffic: 192.168.2.4:63514 -> 73.38.186.219:20033
Source: global traffic UDP traffic: 192.168.2.4:9421 -> 45.89.55.34:19318
Source: global traffic UDP traffic: 192.168.2.4:9421 -> 216.9.179.60:25750
Source: global traffic UDP traffic: 192.168.2.4:9421 -> 86.5.235.24:18771
Source: global traffic UDP traffic: 192.168.2.4:9421 -> 51.15.242.96:18384
Source: global traffic UDP traffic: 192.168.2.4:9421 -> 79.228.26.155:18701
Source: global traffic UDP traffic: 192.168.2.4:9421 -> 220.240.88.104:20056
Source: global traffic UDP traffic: 192.168.2.4:9421 -> 46.151.24.133:21987
Source: global traffic UDP traffic: 192.168.2.4:9421 -> 91.194.11.174:19248
Source: global traffic UDP traffic: 192.168.2.4:9421 -> 139.59.159.178:44567
Source: global traffic UDP traffic: 192.168.2.4:9421 -> 77.238.224.125:26317
Source: global traffic UDP traffic: 192.168.2.4:9421 -> 194.87.219.156:19047
Source: global traffic UDP traffic: 192.168.2.4:9421 -> 93.95.229.134:25799
Source: global traffic UDP traffic: 192.168.2.4:9421 -> 217.76.54.24:22773
Source: global traffic UDP traffic: 192.168.2.4:9421 -> 2.177.225.52:16459
Source: global traffic UDP traffic: 192.168.2.4:10253 -> 173.230.128.232:26930
Source: global traffic UDP traffic: 192.168.2.4:10253 -> 23.241.223.162:23154
Source: global traffic UDP traffic: 192.168.2.4:10253 -> 94.103.188.190:28803
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: unknown TCP traffic detected without corresponding DNS query: 91.92.250.213
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE10245F3A recv,WSAGetLastError, 14_2_00007FFE10245F3A
Source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp, main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000000E.00000003.1915940712.000002BAD4B91000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000000E.00000003.1916098850.000002BAD4B97000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000018.00000003.2586491287.00000156D4C77000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000018.00000003.2586378729.00000156D4C71000.00000004.00000020.00020000.00000000.sdmp, xuutMjJX.14.dr, update.pkg.3.dr String found in binary or memory: http://127.0.0.1:8118
Source: main.exe, 0000000E.00000003.1915940712.000002BAD4B91000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000000E.00000003.1916098850.000002BAD4B97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:8118C
Source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp, main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp, xuutMjJX.14.dr, update.pkg.3.dr String found in binary or memory: http://identiguy.i2p/hosts.txt
Source: update.pkg.3.dr String found in binary or memory: http://reg.i2p/hosts.txt
Source: main.exe, 0000000E.00000002.2481168941.000002BAD4B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://reg.i2p/hosts.txt8x
Source: main.exe, 00000018.00000002.2933918140.00000156D4C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://reg.i2p/hosts.txtV
Source: main.exe, 0000000E.00000002.2481168941.000002BAD4B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://reg.i2p/hosts.txtXn
Source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp, main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp, xuutMjJX.14.dr, update.pkg.3.dr String found in binary or memory: http://rus.i2p/hosts.txt
Source: update.pkg.3.dr String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt
Source: main.exe, 0000000E.00000002.2481168941.000002BAD4B5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtf
Source: main.exe, 0000000E.00000002.2481168941.000002BAD4B5D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000018.00000002.2933918140.00000156D4C3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txtxyz/
Source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp, main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp, xuutMjJX.14.dr, update.pkg.3.dr String found in binary or memory: http://stats.i2p/cgi-bin/newhosts.txt
Source: Amcache.hve.22.dr String found in binary or memory: http://upx.sf.net
Source: main.exe, main.exe, 00000018.00000002.2935551559.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 00000018.00000002.2933918140.00000156D4C3D000.00000004.00000020.00020000.00000000.sdmp, update.pkg.3.dr String found in binary or memory: https://banana.incognet.io/
Source: main.exe, main.exe, 00000018.00000002.2935551559.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 00000018.00000002.2933918140.00000156D4C3D000.00000004.00000020.00020000.00000000.sdmp, update.pkg.3.dr String found in binary or memory: https://i2p.ghativega.in/
Source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp, main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp, xuutMjJX.14.dr, update.pkg.3.dr String found in binary or memory: https://i2p.mooo.com/netDb/
Source: main.exe, main.exe, 00000018.00000002.2935551559.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 00000018.00000002.2933918140.00000156D4C3D000.00000004.00000020.00020000.00000000.sdmp, update.pkg.3.dr String found in binary or memory: https://i2p.novg.net/
Source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp, main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp, xuutMjJX.14.dr, update.pkg.3.dr String found in binary or memory: https://i2pd.readthedocs.io/en/latest/user-guide/configuration/
Source: main.exe, main.exe, 00000018.00000002.2935551559.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 00000018.00000002.2933918140.00000156D4C3D000.00000004.00000020.00020000.00000000.sdmp, update.pkg.3.dr String found in binary or memory: https://i2pseed.creativecowpat.net:8443/
Source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp, main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp, xuutMjJX.14.dr, update.pkg.3.dr String found in binary or memory: https://legit-website.com/i2pseeds.su3
Source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp, main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp, xuutMjJX.14.dr, update.pkg.3.dr String found in binary or memory: https://netdb.i2p2.no/
Source: main.exe, main.exe, 00000018.00000002.2935551559.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 00000018.00000002.2933918140.00000156D4C3D000.00000004.00000020.00020000.00000000.sdmp, update.pkg.3.dr String found in binary or memory: https://reseed-fr.i2pd.xyz/
Source: main.exe, main.exe, 00000018.00000002.2935551559.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 00000018.00000002.2933918140.00000156D4C3D000.00000004.00000020.00020000.00000000.sdmp, update.pkg.3.dr String found in binary or memory: https://reseed-pl.i2pd.xyz/
Source: main.exe, main.exe, 00000018.00000002.2935551559.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 00000018.00000002.2933918140.00000156D4C3D000.00000004.00000020.00020000.00000000.sdmp, update.pkg.3.dr String found in binary or memory: https://reseed.diva.exchange/
Source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp, main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp, xuutMjJX.14.dr, update.pkg.3.dr String found in binary or memory: https://reseed.i2p-projekt.de/
Source: main.exe, main.exe, 00000018.00000002.2935551559.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 00000018.00000002.2933918140.00000156D4C3D000.00000004.00000020.00020000.00000000.sdmp, update.pkg.3.dr String found in binary or memory: https://reseed.i2pgit.org/
Source: main.exe, main.exe, 00000018.00000002.2935551559.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 00000018.00000002.2933918140.00000156D4C3D000.00000004.00000020.00020000.00000000.sdmp, update.pkg.3.dr String found in binary or memory: https://reseed.memcpy.io/
Source: main.exe, main.exe, 00000018.00000002.2935551559.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 00000018.00000002.2933918140.00000156D4C3D000.00000004.00000020.00020000.00000000.sdmp, update.pkg.3.dr String found in binary or memory: https://reseed.onion.im/
Source: main.exe, main.exe, 00000018.00000002.2935551559.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 00000018.00000002.2933918140.00000156D4C3D000.00000004.00000020.00020000.00000000.sdmp, update.pkg.3.dr String found in binary or memory: https://reseed2.i2p.net/
Source: QTmGYKK6SL.exe, 00000001.00000003.1843557253.0000000004466000.00000004.00000020.00020000.00000000.sdmp, QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003A2F000.00000004.00000020.00020000.00000000.sdmp, o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp, main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000000E.00000002.2481168941.000002BAD4B5D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000000E.00000002.2482562172.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 00000018.00000002.2935551559.00007FFDFB7E4000.00000002.00000001.01000000.0000000A.sdmp, main.exe, 00000018.00000002.2933918140.00000156D4C3D000.00000004.00000020.00020000.00000000.sdmp, update.pkg.3.dr String found in binary or memory: https://www2.mk16.de/
Contains functionality to launch a process as a different user
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1150F0FE strlen,strcat,strlen,strlen,strlen,strcat,strlen,strlen,strlen,strcat,LogonUserA,GetLastError,CreateProcessAsUserA,GetLastError,CloseHandle,CreateProcessA,GetLastError, 14_2_00007FFE1150F0FE
Deletes files inside the Windows folder
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File deleted: C:\Windows\Temp\gJinHgIG Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Code function: 0_2_033A7B92 0_2_033A7B92
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Code function: 0_2_033B6BCE 0_2_033B6BCE
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Code function: 0_2_033A4962 0_2_033A4962
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Code function: 0_2_033AC95A 0_2_033AC95A
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Code function: 0_2_033A5956 0_2_033A5956
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Code function: 0_2_033A98AA 0_2_033A98AA
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Code function: 0_2_033B4F9A 0_2_033B4F9A
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Code function: 0_2_033A5EE6 0_2_033A5EE6
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Code function: 0_2_033BCCD2 0_2_033BCCD2
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FF7BACDC490 14_2_00007FF7BACDC490
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE102508D0 14_2_00007FFE102508D0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE11512520 14_2_00007FFE11512520
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE11ECEFB0 14_2_00007FFE11ECEFB0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE126DEAF0 14_2_00007FFE126DEAF0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1322904C 14_2_00007FFE1322904C
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE13228F5E 14_2_00007FFE13228F5E
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE13228E16 14_2_00007FFE13228E16
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE132304B0 14_2_00007FFE132304B0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE13228D2B 14_2_00007FFE13228D2B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1A45CB60 14_2_00007FFE1A45CB60
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE117208D0 24_2_00007FFE117208D0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE11752520 24_2_00007FFE11752520
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE1177EFB0 24_2_00007FFE1177EFB0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE11ECEAF0 24_2_00007FFE11ECEAF0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE126D904C 24_2_00007FFE126D904C
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE126D8F5E 24_2_00007FFE126D8F5E
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE126E04B0 24_2_00007FFE126E04B0
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE126D8D2B 24_2_00007FFE126D8D2B
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE126D8E16 24_2_00007FFE126D8E16
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE1320CB60 24_2_00007FFE1320CB60
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll 9BC6EDD286F4DCD83E57B541BC99038F7E902DE943A6FD528BA485DF1187FFA8
Source: Joe Sandbox View Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll 1DA31243257B0EBC79BA57CA98E6A3A1996CC4E2641E96098561CDCB1FA3EE46
Source: Joe Sandbox View Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll 2B5DC45E89700D4B991ADDED1AA097641D60932B7BBE2C12FC8536B9D46F15A6
Source: Joe Sandbox View Dropped File: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll 154C3DCA584BB1F78C7AE7688D70998F2B62BED8884267E3FCF150BFEFE2C9D8
Enables security privileges
Source: C:\Windows\System32\icacls.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: String function: 00007FFE117140D2 appears 473 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: String function: 00007FFE132277A2 appears 388 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: String function: 00007FFE1150C852 appears 526 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: String function: 00007FFE11EC9DC2 appears 405 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: String function: 00007FF7BACD2EF2 appears 314 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: String function: 00007FFE102440D2 appears 473 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: String function: 00007FFE11779DC2 appears 405 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: String function: 00007FFE1A4520C2 appears 356 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: String function: 00007FFE132020C2 appears 356 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: String function: 00007FFE126D1352 appears 398 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: String function: 00007FFE11EC1352 appears 398 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: String function: 00007FFE126D77A2 appears 388 times
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: String function: 00007FFE1174C852 appears 526 times
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 3164 -ip 3164
PE file contains more sections than normal
Source: prgmgr.dll.14.dr Static PE information: Number of sections : 11 > 10
Source: TMCsWjkD.14.dr Static PE information: Number of sections : 11 > 10
Source: libi2p.dll.14.dr Static PE information: Number of sections : 11 > 10
Source: WQZiUkLe.14.dr Static PE information: Number of sections : 11 > 10
Source: 78a0MAty.14.dr Static PE information: Number of sections : 11 > 10
Source: termsrv32.dll.14.dr Static PE information: Number of sections : 11 > 10
Source: rJnwiXXd.14.dr Static PE information: Number of sections : 11 > 10
Source: samctl.dll.14.dr Static PE information: Number of sections : 11 > 10
Source: to1wcXFh.14.dr Static PE information: Number of sections : 11 > 10
Source: rdpctl.dll.14.dr Static PE information: Number of sections : 11 > 10
Source: QTmGYKK6SL.exe Static PE information: Number of sections : 11 > 10
Source: gJinHgIG.14.dr Static PE information: Number of sections : 11 > 10
Source: M3Cw7G9m.14.dr Static PE information: Number of sections : 11 > 10
Source: dwlmgr.dll.14.dr Static PE information: Number of sections : 11 > 10
Source: evtsrv.dll.14.dr Static PE information: Number of sections : 11 > 10
Source: cnccli.dll.14.dr Static PE information: Number of sections : 11 > 10
Source: ViiRS0bs.14.dr Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: QTmGYKK6SL.exe, 00000000.00000002.1702392786.0000000002C63000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs QTmGYKK6SL.exe
Source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamerfxvmt.dllj% vs QTmGYKK6SL.exe
Source: QTmGYKK6SL.exe, 00000001.00000002.2933702042.0000000002CE3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs QTmGYKK6SL.exe
Source: classification engine Classification label: mal100.troj.evad.winEXE@32/51@0/37
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FF7BACD2029 FindResourceA,LoadResource,GetLastError,GetLastError,GetLastError,GetLastError, 14_2_00007FF7BACD2029
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FF7BACD1DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError, 14_2_00007FF7BACD1DBC
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FF7BACD1DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError, 14_2_00007FF7BACD1DBC
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d} Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6016:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1620:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:1804:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \BaseNamedObjects\Local\WERReportingForProcess3164
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_03
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe File created: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Jump to behavior
Source: QTmGYKK6SL.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File read: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\config.ini Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: QTmGYKK6SL.exe Virustotal: Detection: 25%
Source: QTmGYKK6SL.exe ReversingLabs: Detection: 23%
Source: main.exe String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp
Source: main.exe String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exe String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: main.exe String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address.ipp
Source: main.exe String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v4.ipp
Source: main.exe String found in binary or memory: C:/msys64/mingw64/include/boost/asio/ip/impl/address_v6.ipp
Source: QTmGYKK6SL.exe String found in binary or memory: NATS-SEFI-ADD
Source: QTmGYKK6SL.exe String found in binary or memory: NATS-DANO-ADD
Source: QTmGYKK6SL.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: QTmGYKK6SL.exe String found in binary or memory: jp-ocr-b-add
Source: QTmGYKK6SL.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: QTmGYKK6SL.exe String found in binary or memory: jp-ocr-hand-add
Source: QTmGYKK6SL.exe String found in binary or memory: ISO_6937-2-add
Source: unknown Process created: C:\Users\user\Desktop\QTmGYKK6SL.exe "C:\Users\user\Desktop\QTmGYKK6SL.exe"
Source: unknown Process created: C:\Users\user\Desktop\QTmGYKK6SL.exe C:\Users\user\Desktop\QTmGYKK6SL.exe
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Process created: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Source: C:\Windows\System32\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ZsL2hKzmRChz.acl
Source: C:\Windows\System32\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 3164 -ip 3164
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3164 -s 1156
Source: unknown Process created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Process created: C:\Users\user\Desktop\QTmGYKK6SL.exe C:\Users\user\Desktop\QTmGYKK6SL.exe Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Process created: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Process created: C:\Windows\System32\sc.exe sc.exe create RDP-Controller binpath= C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe type= own start= auto error= ignore Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Process created: C:\Windows\System32\sc.exe sc.exe failure RDP-Controller reset= 1 actions= restart/10000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Process created: C:\Windows\System32\sc.exe sc.exe start RDP-Controller Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public /restore C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ZsL2hKzmRChz.acl Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 3164 -ip 3164 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3164 -s 1156 Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: libi2p.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windowsperformancerecordercontrol.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: weretw.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: faultrep.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: libi2p.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File written: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.ini Jump to behavior
Source: QTmGYKK6SL.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: QTmGYKK6SL.exe Static file information: File size 12016128 > 1048576
Source: QTmGYKK6SL.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x8bc200
Source: QTmGYKK6SL.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10e400
Source: Binary string: RfxVmt.pdb source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp, main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000000E.00000003.1913857527.000002BAD3A5A000.00000004.00000020.00020000.00000000.sdmp, JcfQdL0z.14.dr
Source: Binary string: RfxVmt.pdbGCTL source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp, o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp, main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000000E.00000003.1913857527.000002BAD3A5A000.00000004.00000020.00020000.00000000.sdmp, JcfQdL0z.14.dr

Data Obfuscation
barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Unpacked PE file: 0.2.QTmGYKK6SL.exe.3420000.2.unpack
Binary contains a suspicious time stamp
Source: rfxvmt.dll.14.dr Static PE information: 0xE004CD23 [Sat Feb 5 03:04:03 2089 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FF7BACDDECE GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress, 14_2_00007FF7BACDDECE
PE file contains sections with non-standard names
Source: QTmGYKK6SL.exe Static PE information: section name: .didata
Source: o0c2ddmlg7qrbu2xkviy.exe.1.dr Static PE information: section name: .xdata
Source: main.exe.3.dr Static PE information: section name: .xdata
Source: libi2p.dll.14.dr Static PE information: section name: .xdata
Source: evtsrv.dll.14.dr Static PE information: section name: .xdata
Source: cnccli.dll.14.dr Static PE information: section name: .xdata
Source: termsrv32.dll.14.dr Static PE information: section name: .xdata
Source: rdpctl.dll.14.dr Static PE information: section name: .xdata
Source: samctl.dll.14.dr Static PE information: section name: .xdata
Source: prgmgr.dll.14.dr Static PE information: section name: .xdata
Source: dwlmgr.dll.14.dr Static PE information: section name: .xdata
Source: to1wcXFh.14.dr Static PE information: section name: .xdata
Source: ViiRS0bs.14.dr Static PE information: section name: .xdata
Source: WQZiUkLe.14.dr Static PE information: section name: .xdata
Source: gJinHgIG.14.dr Static PE information: section name: .xdata
Source: TMCsWjkD.14.dr Static PE information: section name: .xdata
Source: rJnwiXXd.14.dr Static PE information: section name: .xdata
Source: M3Cw7G9m.14.dr Static PE information: section name: .xdata
Source: 78a0MAty.14.dr Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Code function: 0_2_033A6575 push esi; ret 0_2_033A6577
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115179B3 push qword ptr [00007FFE47517884h]; retf 14_2_00007FFE115179B9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115179BB push qword ptr [00007FFE4751788Ch]; retf 14_2_00007FFE115179C1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115179FF push qword ptr [00007FFE475178D0h]; retf 14_2_00007FFE11517A05
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE11517A07 push qword ptr [00007FFE475178D8h]; retf 14_2_00007FFE11517A0D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE11517A0F push qword ptr [00007FFE475178E0h]; retf 14_2_00007FFE11517A15
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE11517A17 push qword ptr [00007FFE185178E8h]; retf 14_2_00007FFE11517A1D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115179E7 push qword ptr [00007FFE475178B8h]; retf 14_2_00007FFE115179ED
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115179EF push qword ptr [00007FFE475178C0h]; retf 14_2_00007FFE115179F5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115179F7 push qword ptr [00007FFE475178C8h]; retf 14_2_00007FFE115179FD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115179C3 push qword ptr [00007FFE47517894h]; retf 14_2_00007FFE115179C9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115179CB push qword ptr [00007FFE4751789Ch]; retf 14_2_00007FFE115179D1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115179D3 push qword ptr [00007FFE475178A4h]; retf 14_2_00007FFE115179D9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115172B8 push rsp; ret 14_2_00007FFE115172B9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115172BC push rsp; ret 14_2_00007FFE115172BD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1151726F push qword ptr [rsi]; ret 14_2_00007FFE11517275
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1151727C push rsp; ret 14_2_00007FFE1151727D
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115172E0 push rsp; ret 14_2_00007FFE115172E1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115172E4 push rsp; ret 14_2_00007FFE115172E5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115172E8 push rsp; ret 14_2_00007FFE115172E9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115172C4 push rsp; ret 14_2_00007FFE115172C5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115172CC push rsp; ret 14_2_00007FFE115172CD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115172D0 push rsp; ret 14_2_00007FFE115172D1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115172D4 push rsp; ret 14_2_00007FFE115172D5
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115172D8 push rsp; ret 14_2_00007FFE115172D9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE115172DC push rsp; ret 14_2_00007FFE115172DD
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE132315D7 push rsp; retf 0000h 14_2_00007FFE132315D8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE117579C3 push qword ptr [00007FFE47757894h]; retf 24_2_00007FFE117579C9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE117579CB push qword ptr [00007FFE4775789Ch]; retf 24_2_00007FFE117579D1
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE117579D3 push qword ptr [00007FFE477578A4h]; retf 24_2_00007FFE117579D9
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE117579E7 push qword ptr [00007FFE477578B8h]; retf 24_2_00007FFE117579ED
Contains functionality to create new users
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1024875B strlen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strlen,NetUserAdd,CreateProfile, 14_2_00007FFE1024875B
Drops PE files
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\ViiRS0bs Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\gJinHgIG Jump to dropped file
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe File created: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\to1wcXFh Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\78a0MAty Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\WQZiUkLe Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\rJnwiXXd Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\M3Cw7G9m Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\libi2p.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\JcfQdL0z Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\TMCsWjkD Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\ViiRS0bs Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\gJinHgIG Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\to1wcXFh Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\78a0MAty Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\WQZiUkLe Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\rJnwiXXd Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\M3Cw7G9m Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\JcfQdL0z Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\TMCsWjkD Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\to1wcXFh Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\ViiRS0bs Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\WQZiUkLe Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\gJinHgIG Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\JcfQdL0z Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\TMCsWjkD Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\rJnwiXXd Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\M3Cw7G9m Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe File created: C:\Windows\Temp\78a0MAty Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe File created: C:\Users\user\AppData\Local\Temp\installer.log Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FF7BACD1DBC strcmp,strcmp,StartServiceCtrlDispatcherA,_read,GetLastError, 14_2_00007FF7BACD1DBC
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Process created: C:\Windows\System32\sc.exe sc.exe stop RDP-Controller

Hooking and other Techniques for Hiding and Protection
barindex
Contains functionality to hide user accounts
Source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: QTmGYKK6SL.exe, 00000001.00000003.1854237313.0000000003B54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) || (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000000.1866831901.00007FF66564E000.00000008.00000001.01000000.00000005.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) || (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 0000000E.00000002.2480467750.000002BAD4726000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) || (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe, 0000000E.00000002.2483323686.00007FFE10254000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 0000000E.00000002.2483323686.00007FFE10254000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) || (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe, 0000000E.00000003.1914709125.000002BAD3A5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 0000000E.00000003.1914709125.000002BAD3A5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) || (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: main.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000018.00000002.2935871980.00007FFE11724000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: main.exe, 00000018.00000002.2935871980.00007FFE11724000.00000002.00000001.01000000.0000000E.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) || (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Source: samctl.dll.14.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: samctl.dll.14.dr String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListsam_user_test_special_accountsam_user_set_special_account(is_set == 0) || (is_set == 1)SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts[E] (%s) -> Failed(s_sid=%s,is_set=%d,err=%08x)
Uses cacls to modify the permissions of files
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Process created: C:\Windows\System32\icacls.exe icacls.exe C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\ /setowner *S-1-5-18
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy, 14_2_00007FFE11507694
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: GetLastError,EnumServicesStatusExA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,strlen,strlen,GetProcessHeap,HeapAlloc,strcpy, 24_2_00007FFE11747694
Contains functionality to query network adapater information
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo, 14_2_00007FFE102460C8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo, 14_2_00007FFE1150B648
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo, 14_2_00007FFE11EC2738
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo, 14_2_00007FFE126D4978
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo, 14_2_00007FFE13221D98
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo, 14_2_00007FFE1A4530A8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo, 24_2_00007FFE117160C8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo, 24_2_00007FFE1174B648
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo, 24_2_00007FFE11772738
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo, 24_2_00007FFE11EC4978
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo, 24_2_00007FFE126D1D98
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: GetProcessHeap,HeapAlloc,GetAdaptersInfo,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo, 24_2_00007FFE132030A8
Found dropped PE file which has not been started or loaded
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\evtsrv.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Windows\Temp\ViiRS0bs Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Windows\Temp\gJinHgIG Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Windows\Temp\to1wcXFh Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Windows\Temp\78a0MAty Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\prgmgr.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rdpctl.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\termsrv32.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Windows\Temp\WQZiUkLe Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\rfxvmt.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\samctl.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\cnccli.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Windows\Temp\rJnwiXXd Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Windows\Temp\M3Cw7G9m Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\dwlmgr.dll Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Windows\Temp\JcfQdL0z Jump to dropped file
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Dropped PE file which has not been started: C:\Windows\Temp\TMCsWjkD Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe API coverage: 9.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe TID: 3288 Thread sleep count: 195 > 30 Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe TID: 3288 Thread sleep time: -11700000s >= -30000s Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 6808 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 6808 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 5756 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 5756 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 4136 Thread sleep count: 56 > 30 Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 8 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 5644 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe TID: 5448 Thread sleep count: 31 > 30 Jump to behavior
Queries keyboard layouts
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Last function: Thread delayed
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FF7BACD47F3 FindNextFileA,_mbscpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 14_2_00007FF7BACD47F3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1024A0D3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 14_2_00007FFE1024A0D3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE11501883 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 14_2_00007FFE11501883
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE11EC5BF3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 14_2_00007FFE11EC5BF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE126D5253 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 14_2_00007FFE126D5253
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE13222FE3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 14_2_00007FFE13222FE3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1A455803 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 14_2_00007FFE1A455803
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE1171A0D3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 24_2_00007FFE1171A0D3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE11741883 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 24_2_00007FFE11741883
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE11775BF3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 24_2_00007FFE11775BF3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE11EC5253 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 24_2_00007FFE11EC5253
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE126D2FE3 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 24_2_00007FFE126D2FE3
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE13205803 FindNextFileA,strcpy,FindFirstFileA,GetLastError,GetLastError,FindClose, 24_2_00007FFE13205803
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Thread delayed: delay time: 60000 Jump to behavior
Source: Amcache.hve.22.dr Binary or memory string: VMware
Source: Amcache.hve.22.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.22.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.22.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.22.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.22.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.22.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.22.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.22.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.22.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.22.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.22.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: QTmGYKK6SL.exe, 00000001.00000002.2933221271.00000000010E8000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000000E.00000003.1915621130.000002BAD3A61000.00000004.00000020.00020000.00000000.sdmp, main.exe, 0000000E.00000002.2480258672.000002BAD3A53000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: main.exe, 00000018.00000002.2933664807.00000156D4527000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllGG
Source: o0c2ddmlg7qrbu2xkviy.exe, 00000003.00000002.1970305392.0000023071658000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMM
Source: Amcache.hve.22.dr Binary or memory string: vmci.sys
Source: Amcache.hve.22.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.22.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.22.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.22.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.22.dr Binary or memory string: VMware20,1
Source: Amcache.hve.22.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.22.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.22.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.22.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.22.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.22.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.22.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.22.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.22.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.22.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.22.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FF7BACDDECE GetModuleHandleW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress, 14_2_00007FF7BACDDECE
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FF7BACD3452 GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,strncpy,strncpy,strncpy, 14_2_00007FF7BACD3452
Enables debug privileges
Source: C:\Users\user\Desktop\QTmGYKK6SL.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FF7BACD1131 Sleep,Sleep,_amsg_exit,_initterm,_initterm,SetUnhandledExceptionFilter,_malloc_dbg,strlen,_malloc_dbg,_cexit, 14_2_00007FF7BACD1131
Contains functionality to execute programs as a different user
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1150F0FE strlen,strcat,strlen,strlen,strlen,strcat,strlen,strlen,strlen,strcat,LogonUserA,GetLastError,CreateProcessAsUserA,GetLastError,CloseHandle,CreateProcessA,GetLastError, 14_2_00007FFE1150F0FE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 432 -p 3164 -ip 3164 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3164 -s 1156 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FF7BACD8235 GetSystemTimeAsFileTime, 14_2_00007FF7BACD8235
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE10246DF3 LocalAlloc,wcsncpy,LookupAccountNameW,GetLastError,GetLastError,LocalAlloc,LookupAccountNameW,LocalFree,GetLastError,ConvertSidToStringSidA,GetLastError,wcslen,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NetApiBufferFree,NetUserEnum,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapFree, 14_2_00007FFE10246DF3
Source: C:\Users\user\AppData\Local\Temp\o0c2ddmlg7qrbu2xkviy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.22.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.22.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.22.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.22.dr Binary or memory string: MsMpEng.exe
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1024592A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError, 14_2_00007FFE1024592A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1150AEAA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError, 14_2_00007FFE1150AEAA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE11EC1F9A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError, 14_2_00007FFE11EC1F9A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE126D41DA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError, 14_2_00007FFE126D41DA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE132215FA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError, 14_2_00007FFE132215FA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1A45290A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError, 14_2_00007FFE1A45290A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1A45A751 bind, 14_2_00007FFE1A45A751
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1A46B820 listen,htons,recv,select, 14_2_00007FFE1A46B820
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 14_2_00007FFE1A46B7E8 bind, 14_2_00007FFE1A46B7E8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE1171592A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError, 24_2_00007FFE1171592A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE1174AEAA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError, 24_2_00007FFE1174AEAA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE11771F9A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError, 24_2_00007FFE11771F9A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE11EC41DA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError, 24_2_00007FFE11EC41DA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE126D15FA socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError, 24_2_00007FFE126D15FA
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE1320290A socket,htonl,htons,bind,listen,WSAGetLastError,WSAGetLastError,WSAGetLastError, 24_2_00007FFE1320290A
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE1320A751 bind, 24_2_00007FFE1320A751
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE1321B7E8 bind, 24_2_00007FFE1321B7E8
Source: C:\Users\Public\Computer.{20d04fe0-3aea-1069-a2d8-08002b30309d}\main.exe Code function: 24_2_00007FFE1321B820 listen,htons,recv,select, 24_2_00007FFE1321B820
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1483438 Sample: QTmGYKK6SL.exe Startdate: 27/07/2024 Architecture: WINDOWS Score: 100 75 Multi AV Scanner detection for domain / URL 2->75 77 Antivirus detection for URL or domain 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 7 other signatures 2->81 8 main.exe 156 2->8         started        13 QTmGYKK6SL.exe 1 2->13         started        15 main.exe 2 2->15         started        17 3 other processes 2->17 process3 dnsIp4 61 68.148.96.106 SHAWCA Canada 8->61 63 82.165.57.155 ONEANDONE-ASBrauerstrasse48DE Germany 8->63 71 29 other IPs or domains 8->71 51 C:\Windows\Temp\to1wcXFh, PE32+ 8->51 dropped 53 C:\Windows\Temp\rJnwiXXd, PE32+ 8->53 dropped 55 C:\Windows\Temp\gJinHgIG, PE32+ 8->55 dropped 59 15 other files (13 malicious) 8->59 dropped 91 Contains functionality to hide user accounts 8->91 93 Found Tor onion address 8->93 19 WerFault.exe 19 16 8->19         started        65 91.92.250.213, 1110, 49730 THEZONEBG Bulgaria 13->65 57 C:\Users\user\...\o0c2ddmlg7qrbu2xkviy.exe, PE32+ 13->57 dropped 22 o0c2ddmlg7qrbu2xkviy.exe 10 13->22         started        67 23.241.223.162 TWC-20001-PACWESTUS United States 15->67 69 94.103.188.190 RATELE-ASRU Russian Federation 15->69 73 3 other IPs or domains 15->73 95 Detected unpacking (creates a PE file in dynamic memory) 17->95 25 WerFault.exe 2 17->25         started        file5 signatures6 process7 file8 47 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->47 dropped 49 C:\Users\Public\...\main.exe, PE32+ 22->49 dropped 83 Multi AV Scanner detection for dropped file 22->83 85 Contains functionality to hide user accounts 22->85 87 Machine Learning detection for dropped file 22->87 89 Found Tor onion address 22->89 27 icacls.exe 1 22->27         started        29 icacls.exe 1 22->29         started        31 sc.exe 1 22->31         started        33 3 other processes 22->33 signatures9 process10 process11 35 conhost.exe 27->35         started        37 conhost.exe 29->37         started        39 conhost.exe 31->39         started        41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
184.185.247.130
 unknown United States
22773 ASN-CXA-ALL-CCI-22773-RDCUS false
216.9.179.60
 unknown United States
17385 ORBITELUS false
73.38.186.219
 unknown United States
7922 COMCAST-7922US false
217.76.54.24
 unknown Sweden
39597 SVNET-SE-ASSverigeNetMedianetworkiHalmstadABSE false
45.8.98.78
 unknown Russian Federation
395800 GBTCLOUDUS true
204.8.84.94
 unknown United States
32641 ARBINET-INTERNALUS true
82.165.57.155
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
173.230.128.232
 unknown United States
63949 LINODE-APLinodeLLCUS false
51.15.242.96
 unknown France
12876 OnlineSASFR false
2.177.225.52
 unknown Iran (ISLAMIC Republic Of)
12880 DCI-ASIR false
220.240.88.104
 unknown Australia
7545 TPG-INTERNET-APTPGTelecomLimitedAU false
91.149.237.69
 unknown Poland
41952 MARTON-ASPL false
91.92.250.213
 unknown Bulgaria
34368 THEZONEBG false
86.5.235.24
 unknown United Kingdom
5089 NTLGB false
81.6.45.56
 unknown Switzerland
13030 INIT7CH false
74.80.57.188
 unknown United States
25921 LUS-FIBER-LCGUS false
94.103.188.190
 unknown Russian Federation
197390 RATELE-ASRU false
194.87.219.156
 unknown Russian Federation
197695 AS-REGRU false
91.194.11.174
 unknown Russian Federation
42994 HQservCommunicationSolutionsIL false
79.228.26.155
 unknown Germany
3320 DTAGInternetserviceprovideroperationsDE false
67.166.47.100
 unknown United States
7922 COMCAST-7922US false
68.148.96.106
 unknown Canada
6327 SHAWCA true
23.241.223.162
 unknown United States
20001 TWC-20001-PACWESTUS false
70.18.38.5
 unknown United States
701 UUNETUS false
119.13.124.67
 unknown Australia
9723 ISEEK-AS-APiseekCommunicationsPtyLtdAU true
5.64.137.68
 unknown United Kingdom
5607 BSKYB-BROADBAND-ASGB false
24.177.113.51
 unknown United States
20115 CHARTER-20115US true
139.59.159.178
 unknown Singapore
14061 DIGITALOCEAN-ASNUS false
45.89.55.34
 unknown Russian Federation
44676 VMAGE-ASRU false
91.224.234.189
 unknown Russian Federation
56542 PARKTELECOM-ASRU false
46.151.24.133
 unknown Russian Federation
49608 T4D_RU-ASRU false
73.62.1.179
 unknown United States
7922 COMCAST-7922US true
99.252.52.199
 unknown Canada
812 ROGERS-COMMUNICATIONSCA false
93.95.229.134
 unknown Iceland
44925 THE-1984-ASIS false
77.238.224.125
 unknown Russian Federation
42429 TELERU-ASRU false
186.28.6.171
 unknown Colombia
19429 ETB-ColombiaCO true

Private

IP
127.0.0.1