Source: Set-up.exe.7300.1.memstrmin |
Malware Configuration Extractor: Cryptbot {"C2 list": ["analforeverlovyu.top", "tventyvr20pt.top", "@tventyvr20pt.top"]} |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_007B15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, |
5_2_007B15B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA214B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, |
5_2_6CA214B0 |
Source: Set-up.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Documents\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local\Temp |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea ecx, dword ptr [esp+04h] |
5_2_007B81E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA9AEC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA9AF70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA9AF70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6CA40860 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6CA4A9E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6CA4A9E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6CA4A970 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, 6CAFF960h |
5_2_6CA3EB10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebx |
5_2_6CAC84A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA44453 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6CA4A580 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6CA4A5F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
5_2_6CA4A5F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6CA4C510 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6CA4E6E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6CA4E6E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, ecx |
5_2_6CAC0730 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6CA40740 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA9C040 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA9C1A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+04h] |
5_2_6CA7A1E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
5_2_6CA40260 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [6CAFD014h] |
5_2_6CAF4360 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA9BD10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
5_2_6CA97D10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push edi |
5_2_6CA93840 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+04h] |
5_2_6CA4D974 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6CA5BBD7 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6CA5BBDB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6CA79B60 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA9B4D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
5_2_6CA4D504 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, 6CAFDFF4h |
5_2_6CA93690 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [esp+04h] |
5_2_6CA99600 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] |
5_2_6CA4D674 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+08h] |
5_2_6CA4D7F4 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA3B1D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push edi |
5_2_6CAC3140 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
5_2_6CA4D2A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebx |
5_2_6CAB7350 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.10:49819 -> 185.244.181.140:80 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.10:49880 -> 185.244.181.140:80 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.10:49854 -> 185.244.181.140:80 |
Source: Malware configuration extractor |
URLs: analforeverlovyu.top |
Source: Malware configuration extractor |
URLs: tventyvr20pt.top |
Source: Malware configuration extractor |
URLs: @tventyvr20pt.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary61629611User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 410Host: tventyvr20pt.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary88671164User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 76606Host: tventyvr20pt.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary46959985User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 30035Host: tventyvr20pt.top |
Source: unknown |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary61629611User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 410Host: tventyvr20pt.top |
Source: Set-up.exe, 00000001.00000003.1511322357.000000000186A000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1511093463.0000000001867000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://tventyvr20pt.top/v1/upload.php |
Source: Set-up.exe, 00000001.00000002.2100341753.0000000001867000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://tventyvr20pt.top/v1/upload.phpX |
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search |
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command= |
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: siNpVQuBSTLTLeNwdJHL.dll.1.dr |
String found in binary or memory: https://gcc.gnu.org/bugs/): |
Source: Set-up.exe |
String found in binary or memory: https://serviceupdate32.com/update |
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.ecosia.org/newtab/ |
Source: Set-up.exe, 00000001.00000003.1566655654.00000000039FB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA39C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, |
5_2_6CA39C22 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA39C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, |
5_2_6CA39C22 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA39D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard, |
5_2_6CA39D11 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_007B51B0 |
5_2_007B51B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_007B3E20 |
5_2_007B3E20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA62CCE |
5_2_6CA62CCE |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA2CD00 |
5_2_6CA2CD00 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA2EE50 |
5_2_6CA2EE50 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA30FC0 |
5_2_6CA30FC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA70AC0 |
5_2_6CA70AC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA344F0 |
5_2_6CA344F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA646E0 |
5_2_6CA646E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA587C0 |
5_2_6CA587C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA607D0 |
5_2_6CA607D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA62090 |
5_2_6CA62090 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA70060 |
5_2_6CA70060 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA52360 |
5_2_6CA52360 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA7DC70 |
5_2_6CA7DC70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA35880 |
5_2_6CA35880 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA598F0 |
5_2_6CA598F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA67A20 |
5_2_6CA67A20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA6DBEE |
5_2_6CA6DBEE |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA6140E |
5_2_6CA6140E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA71510 |
5_2_6CA71510 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA6F610 |
5_2_6CA6F610 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA4F760 |
5_2_6CA4F760 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA370C0 |
5_2_6CA370C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CAE50D0 |
5_2_6CAE50D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA23000 |
5_2_6CA23000 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CAF3B20 appears 38 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CAEADB0 appears 49 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CAF36E0 appears 45 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CAF3820 appears 31 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CAF5A70 appears 77 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CAF3560 appears 42 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6CAF5980 appears 83 times |
|
Source: Set-up.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Mutant created: \Sessions\1\BaseNamedObjects\hRspMaLdjdjKRSFxtNUo |
Source: Set-up.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: Set-up.exe, 00000001.00000003.1566896930.00000000039E8000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key)); |
Source: unknown |
Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe" |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dlnashext.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wpdshext.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: sinpvqubstltlenwdjhl.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: sinpvqubstltlenwdjhl.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: sinpvqubstltlenwdjhl.dll |
Jump to behavior |
Source: Set-up.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2be400 |
Source: Set-up.exe |
Static PE information: Raw size of .data is bigger than: 0x100000 < 0x671000 |
Source: Set-up.exe |
Static PE information: section name: .eh_fram |
Source: service123.exe.1.dr |
Static PE information: section name: .eh_fram |
Source: siNpVQuBSTLTLeNwdJHL.dll.1.dr |
Static PE information: section name: .eh_fram |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_007BA521 push es; iretd |
5_2_007BA694 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CAD0C30 push eax; mov dword ptr [esp], edi |
5_2_6CAD0DAA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA9ED10 push eax; mov dword ptr [esp], ebx |
5_2_6CA9EE33 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA74E31 push eax; mov dword ptr [esp], ebx |
5_2_6CA74E45 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA68E7A push edx; mov dword ptr [esp], ebx |
5_2_6CA68E8E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA6A947 push eax; mov dword ptr [esp], ebx |
5_2_6CA6A95B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA70AA2 push eax; mov dword ptr [esp], ebx |
5_2_6CA70AB6 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA88AA0 push eax; mov dword ptr [esp], ebx |
5_2_6CA8909F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA72AAC push edx; mov dword ptr [esp], ebx |
5_2_6CA72AC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA9EAB0 push eax; mov dword ptr [esp], ebx |
5_2_6CA9EBDB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CAA2BF0 push eax; mov dword ptr [esp], ebx |
5_2_6CAA2F24 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CAA2BF0 push edx; mov dword ptr [esp], ebx |
5_2_6CAA2F43 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA6048B push eax; mov dword ptr [esp], ebx |
5_2_6CA604A1 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA604E0 push eax; mov dword ptr [esp], ebx |
5_2_6CA606DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA68435 push edx; mov dword ptr [esp], ebx |
5_2_6CA68449 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA88460 push eax; mov dword ptr [esp], ebx |
5_2_6CA88A5F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA6A5A7 push eax; mov dword ptr [esp], ebx |
5_2_6CA6A5BB |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA41CFA push eax; mov dword ptr [esp], ebx |
5_2_6CAF6622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA41CFA push eax; mov dword ptr [esp], ebx |
5_2_6CAF6622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA606A6 push eax; mov dword ptr [esp], ebx |
5_2_6CA606DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA606A2 push eax; mov dword ptr [esp], ebx |
5_2_6CA606DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA786A1 push 890005EAh; ret |
5_2_6CA786A9 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CAB06B0 push eax; mov dword ptr [esp], ebx |
5_2_6CAB0A4F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA666F3 push edx; mov dword ptr [esp], ebx |
5_2_6CA66707 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA606FD push eax; mov dword ptr [esp], ebx |
5_2_6CA606DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CAA2620 push eax; mov dword ptr [esp], ebx |
5_2_6CAA2954 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CAA2620 push edx; mov dword ptr [esp], ebx |
5_2_6CAA2973 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA6070E push eax; mov dword ptr [esp], ebx |
5_2_6CA606DA |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA6A777 push eax; mov dword ptr [esp], ebx |
5_2_6CA6A78B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA3E0D0 push eax; mov dword ptr [esp], ebx |
5_2_6CAF6AF6 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 5_2_6CA3E0D0 push edx; mov dword ptr [esp], edi |
5_2_6CAF6B36 |
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Evasive API call chain: CreateMutex,DecisionNodes,Sleep |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Stalling execution: Execution stalls by calling Sleep |
Source: C:\Users\user\Desktop\Set-up.exe TID: 7536 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 6976 |
Thread sleep count: 638 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 6976 |
Thread sleep time: -63800s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Last function: Thread delayed |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Documents\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local\Temp |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: tasks.office.comVMware20,11696501413o |
Source: Set-up.exe |
Binary or memory string: VMware |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: netportal.hdfcbank.comVMware20,11696501413 |
Source: Set-up.exe, 00000001.00000003.1511633698.0000000001874000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1511322357.0000000001874000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1525528479.0000000001874000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000002.2100341753.0000000001874000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWPN |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~ |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: dev.azure.comVMware20,11696501413j |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive userers - COM.HKVMware20,11696501413 |
Source: Set-up.exe, 00000001.00000003.1511633698.0000000001874000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1511322357.0000000001874000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000002.2100341753.000000000181E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000003.1525528479.0000000001874000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000001.00000002.2100341753.0000000001874000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413 |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: secure.bankofamerica.comVMware20,11696501413|UE |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: bankofamerica.comVMware20,11696501413x |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Canara Transaction PasswordVMware20,11696501413} |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413 |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Canara Transaction PasswordVMware20,11696501413x |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: turbotax.intuit.comVMware20,11696501413t |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive userers - HKVMware20,11696501413] |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: outlook.office.comVMware20,11696501413s |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413 |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: account.microsoft.com/profileVMware20,11696501413u |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive userers - EU WestVMware20,11696501413n |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: ms.portal.azure.comVMware20,11696501413 |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413 |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: www.interactiveuserers.comVMware20,11696501413} |
Source: Set-up.exe, 00000001.00000003.1567111770.0000000003A0E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: interactiveuserers.co.inVMware20,11696501413d |
Source: Set-up.exe |
Binary or memory string: libgcc_s_dw2-1.dll__register_frame_info__deregister_frame_infodaoTerminalBlizzardCLR_v2.0_32DewMobileCode - Insiders\SolidDocumentsuser_data#4cardBorisFXIq-TeamGuest ProfileVideosvisa.pwdEADesktopHTML HelpGPUCachexrpSpotifyProgram Files (x86)WeModWeb Datamedia_cacheuser_data4kdownload.com.rtfPostmanInternet ExplorerlauncherUbiquiti UniFi.openshot_qtuser_data#5dumpstrxWinamp.arduinoIDERiot GamesrepositoryG HUBLedger Livejaxsidmailtdatabalena-etcher\VirtualBoxSamsung MagicianJaspersoftWorkspaceSketchUpNeteaseAugLoopupdatesMMCABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/seeedhdokiejnpimakedhajhdlcegeplioahdStorageContraseVaultHD-Playergaedmjdfmmahhbjefcbgaolhhanlaolbuser_data#3cartMPC-BELocalLowUniSDKJackbox GamesUI LauncherkkpllkodjeloidieedojogacfhpaihohtokenacmacodkjbdgmoleebolmdjonilkdbchGoogle Web DesignerwodlSavedWindows Live ContactsNFTbluestacks-servicestof_launcher\Program FilesvshubPicWish.pngEPSONUTC--2.pdflghubCode Cachenode_modulesAMS SoftwareAdguard Software LimitedAuthDictionariesXuanZhi9LogsVsGraphicsadaClickUp...SmartSteamEmuQRobs-studioiTop PDFOISimportSweetLabs App Platformbandlab-assistantHotta\@trezor\arduino-ideWindows Photo ViewerVisualStudioAmpInnovative Solutionscode.txtMSOIdentityCRLnodFPSChessCLR Security Configadspower_global\ZaloDataexchangeDRPSubilleteraUnknown %ddogeDevice MetadatanngceckbapebfimnlniiiahkandclblbgameCanonReasonSaferWebaddonsXuanZhiVOSCiscoSparkpythonProjectOPPAIMPElevatedDiagnosticsOneDriveclavepluginsMessengerMarcoMastroddiSWODISOneNotelinkClassicShellFacebookLocal Statecloudlocalization-cacheEpicGamesLauncher\LibreOfficeVMwareDaum.IdentityService.dartServermasterhakuneko-desktopDriverPack CloudSlackK-MeleonklnaejjgbibmhlephnhpmaofohgkpgkdsolDawnCache.kdbIndexedDBVirtualBox VMsMEGAsyncsyncOnDeviceHeadSuggestModelsourceASUSPerfLogsSamsungHoYoverse\MegaDownloaderfactorhifafgmccdpekplomjjkcfgodnhcelljLlaveslobs-clientOlk\MetroScreenEdgeCoredatabaseswebappdaibhhhlbepdkbapadjdnnojkbgioiodbicTikTok LIVE StudioopcgpfmipidbgpenhmajoajpbobppdilwebviewNichromeDigiartyhodliCloudDrive.quokkabinanceSenhaintegrationsemoji.metadataAdvinstAnalyticsTeamsMeetingAddinnkbihfbeogaeaoehlefnkodbefgpgknnHabbo LauncherXiaomiBlackmagic DesignGraineHoYoverseInputMethodCrashRptTeams.ACEStream.doctbs_cache\fraseProgramDataToolbarTpcdMetadataGitHub DesktopIntel_CorporationSUPERAntiSpywareEpic Games\cloud-uninstallerMeltytech.package-managerDATAparkApowersoftCLR_v4.0ThinkBu |