Source: Set-up.exe.7100.0.memstrmin |
Malware Configuration Extractor: Cryptbot {"C2 list": ["+elevenvh11pt.top", "11pt.top", "@elevenvh11pt.top", "elevenvh11pt.top", "analforeverlovyu.top"]} |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_006F15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, |
4_2_006F15B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2C14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, |
4_2_6C2C14B0 |
Source: Set-up.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: Set-up.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Documents\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local\Temp |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea ecx, dword ptr [esp+04h] |
4_2_006F81E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C33AEC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C33AF70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C33AF70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C2E0860 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
4_2_6C2EA970 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C2EA9E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
4_2_6C2EA9E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, 6C39F990h |
4_2_6C2DEB10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C2E4453 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebx |
4_2_6C3684A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
4_2_6C2EC510 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
4_2_6C2EA580 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C2EA5F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
4_2_6C2EA5F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C2EE6E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
4_2_6C2EE6E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, ecx |
4_2_6C360730 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
4_2_6C2E0740 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C33C040 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C33C1A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+04h] |
4_2_6C31A1E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
4_2_6C2E0260 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [6C39D014h] |
4_2_6C394360 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C33BD10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C337D10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push edi |
4_2_6C333840 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+04h] |
4_2_6C2ED974 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
4_2_6C319B60 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
4_2_6C2FBBDB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
4_2_6C2FBBD7 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C33B4D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
4_2_6C2ED504 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [esp+04h] |
4_2_6C339600 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] |
4_2_6C2ED674 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, 6C39DFF4h |
4_2_6C333690 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+08h] |
4_2_6C2ED7F4 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push edi |
4_2_6C363140 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C2DB1D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C2ED2A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebx |
4_2_6C357350 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49730 -> 185.244.181.140:80 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49732 -> 185.244.181.140:80 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49738 -> 185.244.181.140:80 |
Source: Malware configuration extractor |
URLs: +elevenvh11pt.top |
Source: Malware configuration extractor |
URLs: 11pt.top |
Source: Malware configuration extractor |
URLs: @elevenvh11pt.top |
Source: Malware configuration extractor |
URLs: elevenvh11pt.top |
Source: Malware configuration extractor |
URLs: analforeverlovyu.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary33730321User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 410Host: elevenvh11pt.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary17398190User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 89745Host: elevenvh11pt.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary32471747User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29706Host: elevenvh11pt.top |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary33730321User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 410Host: elevenvh11pt.top |
Source: Set-up.exe, 00000000.00000003.1838220618.0000000001438000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1838327408.000000000143C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://elevenvh11pt.top/v1/upload.php |
Source: Set-up.exe, 00000000.00000003.2309002492.0000000001460000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://elevenvh11pt.top/v1/upload.phpP |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command= |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: HXocObpYbsjxnCpoVLwZ.dll.0.dr |
String found in binary or memory: https://gcc.gnu.org/bugs/): |
Source: Set-up.exe |
String found in binary or memory: https://serviceupdate32.com/update |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.ecosia.org/newtab/ |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2D9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, |
4_2_6C2D9C22 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2D9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, |
4_2_6C2D9C22 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2D9D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, |
4_2_6C2D9D11 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2D9E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
4_2_6C2D9E27 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_006F51B0 |
4_2_006F51B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_006F3E20 |
4_2_006F3E20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C302CCE |
4_2_6C302CCE |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2CCD00 |
4_2_6C2CCD00 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2CEE50 |
4_2_6C2CEE50 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2D0FC0 |
4_2_6C2D0FC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C310AC0 |
4_2_6C310AC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2D44F0 |
4_2_6C2D44F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3046E0 |
4_2_6C3046E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3007D0 |
4_2_6C3007D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2F87C0 |
4_2_6C2F87C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C310060 |
4_2_6C310060 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C302090 |
4_2_6C302090 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2F2360 |
4_2_6C2F2360 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C31DC70 |
4_2_6C31DC70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2D5880 |
4_2_6C2D5880 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2F98F0 |
4_2_6C2F98F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C307A20 |
4_2_6C307A20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C30DBEE |
4_2_6C30DBEE |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C30140E |
4_2_6C30140E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C311510 |
4_2_6C311510 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C30F610 |
4_2_6C30F610 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2EF760 |
4_2_6C2EF760 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2C3000 |
4_2_6C2C3000 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3850D0 |
4_2_6C3850D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2D70C0 |
4_2_6C2D70C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C395980 appears 83 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C393560 appears 43 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C393B20 appears 38 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C38ADB0 appears 49 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C3936E0 appears 45 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C393820 appears 31 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C395A70 appears 77 times |
|
Source: Set-up.exe, 00000000.00000002.2324509023.0000000001473000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameschtasks.exej% vs Set-up.exe |
Source: Set-up.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3512:120:WilError_03 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Mutant created: \Sessions\1\BaseNamedObjects\cyUfSaAVoKrgDgBDsopT |
Source: Set-up.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: unknown |
Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe" |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dlnashext.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wpdshext.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: hxocobpybsjxncpovlwz.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: hxocobpybsjxncpovlwz.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: hxocobpybsjxncpovlwz.dll |
Jump to behavior |
Source: Set-up.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: Set-up.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c1800 |
Source: Set-up.exe |
Static PE information: Raw size of .data is bigger than: 0x100000 < 0x671200 |
Source: Set-up.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_006F8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, |
4_2_006F8230 |
Source: Set-up.exe |
Static PE information: section name: .eh_fram |
Source: service123.exe.0.dr |
Static PE information: section name: .eh_fram |
Source: HXocObpYbsjxnCpoVLwZ.dll.0.dr |
Static PE information: section name: .eh_fram |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_006FA499 push es; iretd |
4_2_006FA694 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C370C30 push eax; mov dword ptr [esp], edi |
4_2_6C370DAA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C33ED10 push eax; mov dword ptr [esp], ebx |
4_2_6C33EE33 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C314E31 push eax; mov dword ptr [esp], ebx |
4_2_6C314E45 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C308E7A push edx; mov dword ptr [esp], ebx |
4_2_6C308E8E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C30A947 push eax; mov dword ptr [esp], ebx |
4_2_6C30A95B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C33EAB0 push eax; mov dword ptr [esp], ebx |
4_2_6C33EBDB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C328AA0 push eax; mov dword ptr [esp], ebx |
4_2_6C32909F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C310AA2 push eax; mov dword ptr [esp], ebx |
4_2_6C310AB6 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C312AAC push edx; mov dword ptr [esp], ebx |
4_2_6C312AC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C342BF0 push eax; mov dword ptr [esp], ebx |
4_2_6C342F24 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C342BF0 push edx; mov dword ptr [esp], ebx |
4_2_6C342F43 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C308435 push edx; mov dword ptr [esp], ebx |
4_2_6C308449 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C328460 push eax; mov dword ptr [esp], ebx |
4_2_6C328A5F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C30048B push eax; mov dword ptr [esp], ebx |
4_2_6C3004A1 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3004E0 push eax; mov dword ptr [esp], ebx |
4_2_6C3006DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2E1CFA push eax; mov dword ptr [esp], ebx |
4_2_6C396622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2E1CFA push eax; mov dword ptr [esp], ebx |
4_2_6C396622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C30A5A7 push eax; mov dword ptr [esp], ebx |
4_2_6C30A5BB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C342620 push eax; mov dword ptr [esp], ebx |
4_2_6C342954 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C342620 push edx; mov dword ptr [esp], ebx |
4_2_6C342973 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3506B0 push eax; mov dword ptr [esp], ebx |
4_2_6C350A4F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3186A1 push 890005EAh; ret |
4_2_6C3186A9 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3006A2 push eax; mov dword ptr [esp], ebx |
4_2_6C3006DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3006A6 push eax; mov dword ptr [esp], ebx |
4_2_6C3006DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3066F3 push edx; mov dword ptr [esp], ebx |
4_2_6C306707 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3006FD push eax; mov dword ptr [esp], ebx |
4_2_6C3006DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C30070E push eax; mov dword ptr [esp], ebx |
4_2_6C3006DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C30A777 push eax; mov dword ptr [esp], ebx |
4_2_6C30A78B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C310042 push eax; mov dword ptr [esp], ebx |
4_2_6C310056 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2DE0D0 push eax; mov dword ptr [esp], ebx |
4_2_6C396AF6 |
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Evasive API call chain: CreateMutex,DecisionNodes,Sleep |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Stalling execution: Execution stalls by calling Sleep |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
API coverage: 1.1 % |
Source: C:\Users\user\Desktop\Set-up.exe TID: 6412 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 2128 |
Thread sleep count: 980 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 2128 |
Thread sleep time: -98000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Last function: Thread delayed |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Documents\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local\Temp |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local |
Jump to behavior |
Source: Set-up.exe |
Binary or memory string: VMware |
Source: Set-up.exe |
Binary or memory string: !d->m_output_flush_remainingd->m_pOutput_buf < d->m_pOutput_buf_endmax_match_len <= TDEFL_MAX_MATCH_LEN(match_len >= TDEFL_MIN_MATCH_LEN) && (match_dist >= 1) && (match_dist <= TDEFL_LZ_DICT_SIZE)d->m_lookahead_size >= len_to_moveLibrarymetatdummySenhasiduser_data#4user_data#5integrationsOriginREDEngineDataFoldersentryService WorkerMcAfeeScreenPalEpsonFeedsGameDVRUserBenchmarkMovavi Video ConverterVS Revo GroupMovavi Video Editorwebviewuser_dataSavestbs_cache\Hewlett-PackardOISLogishrd.dartServerarduino-ide.arduinoIDEVirtualDJPC ManagerOneDriveGuest ProfilereposiTop Easy DesktopdictionariesSquirrelTempcom.adobe.dunamisMacromediaklnaejjgbibmhlephnhpmaofohgkpgkdaholpfdialjgjfhomihkjbmgjidlcdnoegjidjbpglichdcondbcbdnbeeppgdphefbglgofoippbgcjepnhiblaibcnclgkstoragephantomwalletmonedamonnaie...KeepSolid IncOKmusiWhitehatVpnReasonSaferWebSketchUpF12EAConnect_microsoftEADesktopFPSChessdumpsemojiA7FDF864FBC10B77F8806DD0C461824FAshampooAdguard Software LimitedAdguard_Software_LimitedASUS4kdownload.combluestacks-servicesJxBrowserAuthmailcardfactor%d x %dMicrosoft_CorporationIntel(R)VirtualBoxProgramsblob_storageABBYYChromiumContainerTegraRcmGUIUnrealEngineLauncher.thinkorswimLogiShrdMega LimitedISL Online CacheG HUBlghubWeModGrainemoedathumbnailsAviraD877F783D5D3EF8Cr+bSony CorporationPunkBusterRAV Endpoint ProtectionlinknoweurusdwodlhodlMAGIXVEGAScodecriptIdentityNexusIntegrationNotepad++DBGIsolatedStorageSamsung MagicianHD-Playerhakuneko-desktopBlizzardBattle.netUniSDKODISCLR_v2.0CLR_v2.0_32GamesAGSMy GamesFrontier DevelopmentsfnjhmkhhmkbjkkabndcnnogagogbneecdlcobpjiigpikoobohmabehhmhfoodbbMoises360safeMEmuPC Manager StoreclaveWinampUbisoft Game LauncherAMS SoftwareBlackmagic DesignPhotoWorksNCH SoftwareNitrounknown errorpaint.netMeltytechwindowParams.jsonLogin DataFree_PDF_SolutionsVMwarebitatomProgramDataRufusWindows MediaTypeScriptXboxLiveadspower_global\Docker Desktop\Ledger Live\tof_launcher\Canvadeemixmt-centerThinkBuzanVirtualStorePlaceholderTileLogoFolderApplePlay GamesRobloxPixelSee LLCNeroBGAHelperLibAugLoop3D ObjectsSearchesPublicContinuous MigrationSnapshotsLogsSavedConfigExpressVPNRoute0StreamingVideoProviderOverwolfdiscord.gradlecaches.ipythonHP_Easy_StarttdataCreativeppbibelpcjmhbdihakflkdcoccbgbkpoomaabbefbmiijedngplfjmnooppbclkk3uToolsMarcoMastroddiSWlaunchervshubExcelPowerPointEPSONAMSDKAnkiNoxUnrealEngineWinZipZoomSamsungUI LauncherDevice Metadatagecko_cacheUnityHubTikTok LIVE StudioTeamViewer.th |