Click to jump to signature section
Source: Set-up.exe.7100.0.memstrmin | Malware Configuration Extractor: Cryptbot {"C2 list": ["+elevenvh11pt.top", "11pt.top", "@elevenvh11pt.top", "elevenvh11pt.top", "analforeverlovyu.top"]} |
Source: Submited Sample | Integrated Neural Analysis Model: Matched 100.0% probability |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_006F15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, | 4_2_006F15B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2C14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, | 4_2_6C2C14B0 |
Source: Set-up.exe | Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: Set-up.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\Set-up.exe | File opened: C:\Users\user | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | File opened: C:\Users\user\Documents\desktop.ini | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | File opened: C:\Users\user\AppData | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | File opened: C:\Users\user\AppData\Local\Temp | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | File opened: C:\Users\user\Desktop\desktop.ini | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | File opened: C:\Users\user\AppData\Local | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then lea ecx, dword ptr [esp+04h] | 4_2_006F81E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then sub esp, 1Ch | 4_2_6C33AEC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then sub esp, 1Ch | 4_2_6C33AF70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then sub esp, 1Ch | 4_2_6C33AF70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then push esi | 4_2_6C2E0860 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then mov eax, dword ptr [ecx+08h] | 4_2_6C2EA970 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then push esi | 4_2_6C2EA9E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then mov eax, dword ptr [ecx+08h] | 4_2_6C2EA9E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then mov eax, 6C39F990h | 4_2_6C2DEB10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then sub esp, 1Ch | 4_2_6C2E4453 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then push ebx | 4_2_6C3684A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then mov eax, dword ptr [ecx] | 4_2_6C2EC510 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then mov eax, dword ptr [ecx+08h] | 4_2_6C2EA580 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then push esi | 4_2_6C2EA5F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then mov eax, dword ptr [ecx+08h] | 4_2_6C2EA5F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then push esi | 4_2_6C2EE6E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then mov eax, dword ptr [ecx] | 4_2_6C2EE6E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then mov eax, ecx | 4_2_6C360730 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then mov eax, dword ptr [ecx] | 4_2_6C2E0740 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then sub esp, 1Ch | 4_2_6C33C040 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then sub esp, 1Ch | 4_2_6C33C1A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then mov eax, dword ptr [ecx+04h] | 4_2_6C31A1E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then mov eax, dword ptr [ecx] | 4_2_6C2E0260 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then mov eax, dword ptr [6C39D014h] | 4_2_6C394360 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then sub esp, 1Ch | 4_2_6C33BD10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then push esi | 4_2_6C337D10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then push edi | 4_2_6C333840 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then lea eax, dword ptr [ecx+04h] | 4_2_6C2ED974 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then push ebp | 4_2_6C319B60 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then push ebp | 4_2_6C2FBBDB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then push ebp | 4_2_6C2FBBD7 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then sub esp, 1Ch | 4_2_6C33B4D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then push ebp | 4_2_6C2ED504 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then mov eax, dword ptr [esp+04h] | 4_2_6C339600 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] | 4_2_6C2ED674 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then mov eax, 6C39DFF4h | 4_2_6C333690 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then lea eax, dword ptr [ecx+08h] | 4_2_6C2ED7F4 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then push edi | 4_2_6C363140 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then sub esp, 1Ch | 4_2_6C2DB1D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then sub esp, 1Ch | 4_2_6C2ED2A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4x nop then push ebx | 4_2_6C357350 |
Source: Network traffic | Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49730 -> 185.244.181.140:80 |
Source: Network traffic | Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49732 -> 185.244.181.140:80 |
Source: Network traffic | Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49738 -> 185.244.181.140:80 |
Source: Malware configuration extractor | URLs: +elevenvh11pt.top |
Source: Malware configuration extractor | URLs: 11pt.top |
Source: Malware configuration extractor | URLs: @elevenvh11pt.top |
Source: Malware configuration extractor | URLs: elevenvh11pt.top |
Source: Malware configuration extractor | URLs: analforeverlovyu.top |
Source: Joe Sandbox View | IP Address: 185.244.181.140 185.244.181.140 |
Source: Joe Sandbox View | ASN Name: BELCLOUDBG BELCLOUDBG |
Source: global traffic | HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary33730321User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 410Host: elevenvh11pt.top |
Source: global traffic | HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary17398190User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 89745Host: elevenvh11pt.top |
Source: global traffic | HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary32471747User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29706Host: elevenvh11pt.top |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic | DNS traffic detected: DNS query: elevenvh11pt.top |
Source: unknown | HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary33730321User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 410Host: elevenvh11pt.top |
Source: Set-up.exe, 00000000.00000003.1838220618.0000000001438000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1838327408.000000000143C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://elevenvh11pt.top/v1/upload.php |
Source: Set-up.exe, 00000000.00000003.2309002492.0000000001460000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://elevenvh11pt.top/v1/upload.phpP |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command= |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: HXocObpYbsjxnCpoVLwZ.dll.0.dr | String found in binary or memory: https://gcc.gnu.org/bugs/): |
Source: Set-up.exe | String found in binary or memory: https://serviceupdate32.com/update |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.ecosia.org/newtab/ |
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2D9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, | 4_2_6C2D9C22 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2D9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, | 4_2_6C2D9C22 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2D9D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, | 4_2_6C2D9D11 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2D9E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, | 4_2_6C2D9E27 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_006F51B0 | 4_2_006F51B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_006F3E20 | 4_2_006F3E20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C302CCE | 4_2_6C302CCE |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2CCD00 | 4_2_6C2CCD00 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2CEE50 | 4_2_6C2CEE50 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2D0FC0 | 4_2_6C2D0FC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C310AC0 | 4_2_6C310AC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2D44F0 | 4_2_6C2D44F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C3046E0 | 4_2_6C3046E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C3007D0 | 4_2_6C3007D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2F87C0 | 4_2_6C2F87C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C310060 | 4_2_6C310060 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C302090 | 4_2_6C302090 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2F2360 | 4_2_6C2F2360 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C31DC70 | 4_2_6C31DC70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2D5880 | 4_2_6C2D5880 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2F98F0 | 4_2_6C2F98F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C307A20 | 4_2_6C307A20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C30DBEE | 4_2_6C30DBEE |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C30140E | 4_2_6C30140E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C311510 | 4_2_6C311510 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C30F610 | 4_2_6C30F610 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2EF760 | 4_2_6C2EF760 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2C3000 | 4_2_6C2C3000 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C3850D0 | 4_2_6C3850D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2D70C0 | 4_2_6C2D70C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: String function: 6C395980 appears 83 times | |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: String function: 6C393560 appears 43 times | |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: String function: 6C393B20 appears 38 times | |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: String function: 6C38ADB0 appears 49 times | |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: String function: 6C3936E0 appears 45 times | |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: String function: 6C393820 appears 31 times | |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: String function: 6C395A70 appears 77 times | |
Source: Set-up.exe, 00000000.00000002.2324509023.0000000001473000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameschtasks.exej% vs Set-up.exe |
Source: Set-up.exe | Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: classification engine | Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3512:120:WilError_03 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Mutant created: \Sessions\1\BaseNamedObjects\cyUfSaAVoKrgDgBDsopT |
Source: Set-up.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: unknown | Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe" | |
Source: C:\Users\user\Desktop\Set-up.exe | Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" | |
Source: C:\Users\user\Desktop\Set-up.exe | Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f | |
Source: C:\Windows\SysWOW64\schtasks.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: unknown | Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe | |
Source: unknown | Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe | |
Source: C:\Users\user\Desktop\Set-up.exe | Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: webio.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: windowscodecs.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: dpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: dlnashext.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: wpdshext.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: edputil.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: urlmon.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: windows.staterepositoryps.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: appresolver.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: bcp47langs.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: slc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: sppc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: onecorecommonproxystub.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: onecoreuapcommonproxystub.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Section loaded: hxocobpybsjxncpovlwz.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe | Section loaded: taskschd.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe | Section loaded: xmllite.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Section loaded: hxocobpybsjxncpovlwz.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Section loaded: hxocobpybsjxncpovlwz.dll | Jump to behavior |
Source: Set-up.exe | Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: Set-up.exe | Static file information: File size 9979392 > 1048576 |
Source: Set-up.exe | Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c1800 |
Source: Set-up.exe | Static PE information: Raw size of .data is bigger than: 0x100000 < 0x671200 |
Source: Set-up.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_006F8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, | 4_2_006F8230 |
Source: Set-up.exe | Static PE information: section name: .eh_fram |
Source: service123.exe.0.dr | Static PE information: section name: .eh_fram |
Source: HXocObpYbsjxnCpoVLwZ.dll.0.dr | Static PE information: section name: .eh_fram |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_006FA499 push es; iretd | 4_2_006FA694 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C370C30 push eax; mov dword ptr [esp], edi | 4_2_6C370DAA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C33ED10 push eax; mov dword ptr [esp], ebx | 4_2_6C33EE33 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C314E31 push eax; mov dword ptr [esp], ebx | 4_2_6C314E45 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C308E7A push edx; mov dword ptr [esp], ebx | 4_2_6C308E8E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C30A947 push eax; mov dword ptr [esp], ebx | 4_2_6C30A95B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C33EAB0 push eax; mov dword ptr [esp], ebx | 4_2_6C33EBDB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C328AA0 push eax; mov dword ptr [esp], ebx | 4_2_6C32909F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C310AA2 push eax; mov dword ptr [esp], ebx | 4_2_6C310AB6 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C312AAC push edx; mov dword ptr [esp], ebx | 4_2_6C312AC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C342BF0 push eax; mov dword ptr [esp], ebx | 4_2_6C342F24 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C342BF0 push edx; mov dword ptr [esp], ebx | 4_2_6C342F43 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C308435 push edx; mov dword ptr [esp], ebx | 4_2_6C308449 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C328460 push eax; mov dword ptr [esp], ebx | 4_2_6C328A5F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C30048B push eax; mov dword ptr [esp], ebx | 4_2_6C3004A1 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C3004E0 push eax; mov dword ptr [esp], ebx | 4_2_6C3006DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2E1CFA push eax; mov dword ptr [esp], ebx | 4_2_6C396622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2E1CFA push eax; mov dword ptr [esp], ebx | 4_2_6C396622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C30A5A7 push eax; mov dword ptr [esp], ebx | 4_2_6C30A5BB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C342620 push eax; mov dword ptr [esp], ebx | 4_2_6C342954 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C342620 push edx; mov dword ptr [esp], ebx | 4_2_6C342973 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C3506B0 push eax; mov dword ptr [esp], ebx | 4_2_6C350A4F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C3186A1 push 890005EAh; ret | 4_2_6C3186A9 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C3006A2 push eax; mov dword ptr [esp], ebx | 4_2_6C3006DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C3006A6 push eax; mov dword ptr [esp], ebx | 4_2_6C3006DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C3066F3 push edx; mov dword ptr [esp], ebx | 4_2_6C306707 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C3006FD push eax; mov dword ptr [esp], ebx | 4_2_6C3006DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C30070E push eax; mov dword ptr [esp], ebx | 4_2_6C3006DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C30A777 push eax; mov dword ptr [esp], ebx | 4_2_6C30A78B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C310042 push eax; mov dword ptr [esp], ebx | 4_2_6C310056 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Code function: 4_2_6C2DE0D0 push eax; mov dword ptr [esp], ebx | 4_2_6C396AF6 |
Source: C:\Users\user\Desktop\Set-up.exe | Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | API coverage: 1.1 % |
Source: C:\Users\user\Desktop\Set-up.exe TID: 6412 | Thread sleep time: -60000s >= -30000s | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 2128 | Thread sleep count: 980 > 30 | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 2128 | Thread sleep time: -98000s >= -30000s | Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Last function: Thread delayed |
Source: C:\Users\user\AppData\Local\Temp\service123.exe | Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\Set-up.exe | File opened: C:\Users\user | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | File opened: C:\Users\user\Documents\desktop.ini | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | File opened: C:\Users\user\AppData | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | File opened: C:\Users\user\AppData\Local\Temp | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | File opened: C:\Users\user\Desktop\desktop.ini | Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe | File opened: C:\Users\user\AppData\Local | Jump to behavior |
Source: Set-up.exe | Binary or memory string: VMware |
Source: Set-up.exe | Binary or memory string: !d->m_output_flush_remainingd->m_pOutput_buf < d->m_pOutput_buf_endmax_match_len <= TDEFL_MAX_MATCH_LEN(match_len >= TDEFL_MIN_MATCH_LEN) && (match_dist >= 1) && (match_dist <= TDEFL_LZ_DICT_SIZE)d->m_lookahead_size >= len_to_moveLibrarymetatdummySenhasiduser_data#4user_data#5integrationsOriginREDEngineDataFoldersentryService WorkerMcAfeeScreenPalEpsonFeedsGameDVRUserBenchmarkMovavi Video ConverterVS Revo GroupMovavi Video Editorwebviewuser_dataSavestbs_cache\Hewlett-PackardOISLogishrd.dartServerarduino-ide.arduinoIDEVirtualDJPC ManagerOneDriveGuest ProfilereposiTop Easy DesktopdictionariesSquirrelTempcom.adobe.dunamisMacromediaklnaejjgbibmhlephnhpmaofohgkpgkdaholpfdialjgjfhomihkjbmgjidlcdnoegjidjbpglichdcondbcbdnbeeppgdphefbglgofoippbgcjepnhiblaibcnclgkstoragephantomwalletmonedamonnaie...KeepSolid IncOKmusiWhitehatVpnReasonSaferWebSketchUpF12EAConnect_microsoftEADesktopFPSChessdumpsemojiA7FDF864FBC10B77F8806DD0C461824FAshampooAdguard Software LimitedAdguard_Software_LimitedASUS4kdownload.combluestacks-servicesJxBrowserAuthmailcardfactor%d x %dMicrosoft_CorporationIntel(R)VirtualBoxProgramsblob_storageABBYYChromiumContainerTegraRcmGUIUnrealEngineLauncher.thinkorswimLogiShrdMega LimitedISL Online CacheG HUBlghubWeModGrainemoedathumbnailsAviraD877F783D5D3EF8Cr+bSony CorporationPunkBusterRAV Endpoint ProtectionlinknoweurusdwodlhodlMAGIXVEGAScodecriptIdentityNexusIntegrationNotepad++DBGIsolatedStorageSamsung MagicianHD-Playerhakuneko-desktopBlizzardBattle.netUniSDKODISCLR_v2.0CLR_v2.0_32GamesAGSMy GamesFrontier DevelopmentsfnjhmkhhmkbjkkabndcnnogagogbneecdlcobpjiigpikoobohmabehhmhfoodbbMoises360safeMEmuPC Manager StoreclaveWinampUbisoft Game LauncherAMS SoftwareBlackmagic DesignPhotoWorksNCH SoftwareNitrounknown errorpaint.netMeltytechwindowParams.jsonLogin DataFree_PDF_SolutionsVMwarebitatomProgramDataRufusWindows MediaTypeScriptXboxLiveadspower_global\Docker Desktop\Ledger Live\tof_launcher\Canvadeemixmt-centerThinkBuzanVirtualStorePlaceholderTileLogoFolderApplePlay GamesRobloxPixelSee LLCNeroBGAHelperLibAugLoop3D ObjectsSearchesPublicContinuous MigrationSnapshotsLogsSavedConfigExpressVPNRoute0StreamingVideoProviderOverwolfdiscord.gradlecaches.ipythonHP_Easy_StarttdataCreativeppbibelpcjmhbdihakflkdcoccbgbkpoomaabbefbmiijedngplfjmnooppbclkk3uToolsMarcoMastroddiSWlaunchervshubExcelPowerPointEPSONAMSDKAnkiNoxUnrealEngineWinZipZoomSamsungUI LauncherDevice Metadatagecko_cacheUnityHubTikTok LIVE StudioTeamViewer.thinkbuzanMiniTool Vid |