Source: Set-up.exe.6244.0.memstrmin |
Malware Configuration Extractor: Cryptbot {"C2 list": ["fiftvx15pt.top", "analforeverlovyu.top"]} |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_001E15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, |
4_2_001E15B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7614B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, |
4_2_6C7614B0 |
Source: Set-up.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: Set-up.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Documents\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local\Temp |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea ecx, dword ptr [esp+04h] |
4_2_001E81E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C7DAC70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C7DAD20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C7DAD20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push edi |
4_2_6C802EF0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C77AF80 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, 6C83F960h |
4_2_6C77E8C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, ecx |
4_2_6C8004E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
4_2_6C7804F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C78E490 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
4_2_6C78E490 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C780610 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
4_2_6C78A720 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C78A790 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
4_2_6C78A790 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
4_2_6C780010 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [6C83D014h] |
4_2_6C834110 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C784203 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
4_2_6C78C2C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebx |
4_2_6C808250 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
4_2_6C78A330 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C78A3A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
4_2_6C78A3A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C7DBDF0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C7DBF50 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+04h] |
4_2_6C7B9F90 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
4_2_6C7B9910 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
4_2_6C819900 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
4_2_6C79B98B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
4_2_6C79B987 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C7DBAC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C7D7AC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, 6C83DFF4h |
4_2_6C7D3440 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] |
4_2_6C78D424 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push edi |
4_2_6C7D35F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+08h] |
4_2_6C78D5A4 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+04h] |
4_2_6C78D724 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C78D050 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebx |
4_2_6C7F7100 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
4_2_6C78D2B4 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C7DB280 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [esp+04h] |
4_2_6C7D93B0 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.6:49747 -> 185.244.181.140:80 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.6:49775 -> 185.244.181.140:80 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.6:49802 -> 185.244.181.140:80 |
Source: Malware configuration extractor |
URLs: fiftvx15pt.top |
Source: Malware configuration extractor |
URLs: analforeverlovyu.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary46584377User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: fiftvx15pt.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary38382003User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 91197Host: fiftvx15pt.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary27285830User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 30096Host: fiftvx15pt.top |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary46584377User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 412Host: fiftvx15pt.top |
Source: Set-up.exe, 00000000.00000003.2336556663.0000000001768000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.2336684023.000000000176A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://fiftvx15pt.top/v1/u/ |
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search |
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command= |
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: HwYuaUvXqdEkCixuJard.dll.0.dr |
String found in binary or memory: https://gcc.gnu.org/bugs/): |
Source: Set-up.exe |
String found in binary or memory: https://serviceupdate32.com/update |
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.ecosia.org/newtab/ |
Source: Set-up.exe, 00000000.00000003.2378064037.0000000003950000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C779B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber, |
4_2_6C779B99 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C779BD7 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
4_2_6C779BD7 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_001E51B0 |
4_2_001E51B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_001E3E20 |
4_2_001E3E20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C76CD00 |
4_2_6C76CD00 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C824E80 |
4_2_6C824E80 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C76EE50 |
4_2_6C76EE50 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C770FC0 |
4_2_6C770FC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7B0870 |
4_2_6C7B0870 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7A2A7E |
4_2_6C7A2A7E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7744F0 |
4_2_6C7744F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7A4490 |
4_2_6C7A4490 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C798570 |
4_2_6C798570 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7A0580 |
4_2_6C7A0580 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C792110 |
4_2_6C792110 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7A1E40 |
4_2_6C7A1E40 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7AFE10 |
4_2_6C7AFE10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C775880 |
4_2_6C775880 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7AD99E |
4_2_6C7AD99E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7BDA20 |
4_2_6C7BDA20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C78F510 |
4_2_6C78F510 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7996A0 |
4_2_6C7996A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7A77D0 |
4_2_6C7A77D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C763000 |
4_2_6C763000 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7770C0 |
4_2_6C7770C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7A11BE |
4_2_6C7A11BE |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7B12C0 |
4_2_6C7B12C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7AF3C0 |
4_2_6C7AF3C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C835980 appears 83 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C8338D0 appears 38 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C833310 appears 42 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C835A70 appears 77 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C82AB60 appears 49 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C833490 appears 45 times |
|
Source: Set-up.exe, 00000000.00000002.2843692223.0000000001775000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameschtasks.exej% vs Set-up.exe |
Source: Set-up.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@8/2@2/1 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Mutant created: \Sessions\1\BaseNamedObjects\quJYrdQFgygDuzOLcwxa |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4560:120:WilError_03 |
Source: Set-up.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: Set-up.exe, 00000000.00000003.2378388009.000000000393E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key)); |
Source: unknown |
Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe" |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe |
|
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: dlnashext.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wpdshext.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: hwyuauvxqdekcixujard.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: hwyuauvxqdekcixujard.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: hwyuauvxqdekcixujard.dll |
Jump to behavior |
Source: Set-up.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: Set-up.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c1c00 |
Source: Set-up.exe |
Static PE information: Raw size of .data is bigger than: 0x100000 < 0x670c00 |
Source: Set-up.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_001E8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, |
4_2_001E8230 |
Source: Set-up.exe |
Static PE information: section name: .eh_fram |
Source: service123.exe.0.dr |
Static PE information: section name: .eh_fram |
Source: HwYuaUvXqdEkCixuJard.dll.0.dr |
Static PE information: section name: .eh_fram |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_001EA499 push es; iretd |
4_2_001EA694 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7A8C2A push edx; mov dword ptr [esp], ebx |
4_2_6C7A8C3E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7B4DC1 push eax; mov dword ptr [esp], ebx |
4_2_6C7B4DD5 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7D4DB0 push eax; mov dword ptr [esp], ebx |
4_2_6C7D5018 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7A6E03 push edx; mov dword ptr [esp], ebx |
4_2_6C7A6E17 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7B4FA1 push eax; mov dword ptr [esp], ebx |
4_2_6C7B4FB5 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7DE860 push eax; mov dword ptr [esp], ebx |
4_2_6C7DE98B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7B285C push edx; mov dword ptr [esp], ebx |
4_2_6C7B2870 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7B0852 push eax; mov dword ptr [esp], ebx |
4_2_6C7B0866 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7C8850 push eax; mov dword ptr [esp], ebx |
4_2_6C7C8E4F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C8109E0 push eax; mov dword ptr [esp], edi |
4_2_6C810B5A |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7E29A0 push eax; mov dword ptr [esp], ebx |
4_2_6C7E2CD4 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7E29A0 push edx; mov dword ptr [esp], ebx |
4_2_6C7E2CF3 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7DEAC0 push eax; mov dword ptr [esp], ebx |
4_2_6C7DEBE3 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7B4BE1 push eax; mov dword ptr [esp], ebx |
4_2_6C7B4BF5 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7F0460 push eax; mov dword ptr [esp], ebx |
4_2_6C7F07FF |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7A0452 push eax; mov dword ptr [esp], ebx |
4_2_6C7A048A |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7B8451 push 890005EAh; ret |
4_2_6C7B8459 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7A04BE push eax; mov dword ptr [esp], ebx |
4_2_6C7A048A |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7A04AD push eax; mov dword ptr [esp], ebx |
4_2_6C7A048A |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7A64A3 push edx; mov dword ptr [esp], ebx |
4_2_6C7A64B7 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7AA527 push eax; mov dword ptr [esp], ebx |
4_2_6C7AA53B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C781AAA push eax; mov dword ptr [esp], ebx |
4_2_6C836622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C781AAA push eax; mov dword ptr [esp], ebx |
4_2_6C836622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7AA6F7 push eax; mov dword ptr [esp], ebx |
4_2_6C7AA70B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C786003 push eax; mov dword ptr [esp], ebx |
4_2_6C836AF6 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C786003 push edx; mov dword ptr [esp], edi |
4_2_6C836B36 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7B40D5 push ecx; mov dword ptr [esp], ebx |
4_2_6C7B40E9 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C786098 push eax; mov dword ptr [esp], ebx |
4_2_6C836622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7A81E5 push edx; mov dword ptr [esp], ebx |
4_2_6C7A81F9 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C7A023B push eax; mov dword ptr [esp], ebx |
4_2_6C7A0251 |
Source: C:\Users\user\Desktop\Set-up.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Evasive API call chain: CreateMutex,DecisionNodes,Sleep |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Stalling execution: Execution stalls by calling Sleep |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
API coverage: 1.1 % |
Source: C:\Users\user\Desktop\Set-up.exe TID: 2084 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 5648 |
Thread sleep count: 819 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 5648 |
Thread sleep time: -81900s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Last function: Thread delayed |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Documents\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\Set-up.exe |
File opened: C:\Users\user\AppData\Local\Temp |
Jump to behavior |
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552 |
Source: Set-up.exe |
Binary or memory string: VMware |
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE |
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: account.microsoft.com/profileVMware20,11696487552u |
Source: Set-up.exe, 00000000.00000003.2378708875.000000000DADB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: discord.comVMware20,11696487552f |
Source: Set-up.exe |
Binary or memory string: 7libgcc_s_dw2-1.dll__register_frame_info__deregister_frame_infofactorBlizzard.txtSystem Profile.kdbDualSenseXSunSilhouette AmericaJxBrowsersdkLibraryVisual Studio SetupbackupsDaumworkspace-storageXiaomiExodus EdenGIMPbfnaelmomeimhlpmgjnjophhpkkoljpaLocal StoreSketchUpDownloaded Installations.jpeglocalization-cacheUniSDKContinuous MigrationSteam\BitTorrenttonseeedwindowParams.jsonViberEpicGamesLauncherAuthgameThinkBuzanStorageRestor.thinkorswimpocoProgramDataBeamNG.drivecodepeubandlab-assistantStreamingVideoProvider\PerfLogs...microAppsnavigationSpoonholdlinknowwodlSUPERAntiSpywareUARJaxxcarddumpsdoge3uToolsAdvinstAnalyticsbtcTerminal Server Client.jpgProgram Filesuser_data#2.VirtualBoxcitizenfxfnjhmkhhmkbjkkabndcnnogagogbneecaholpfdialjgjfhomihkjbmgjidlcdnoVaultlibrariesusdcom.adobe.dunamisViberPCmonnaietdummymentalmentorElevatedDiagnosticsWindowsA7FDF864FBC10B77emojiAvid.pwd.dochodlCodeTwoWinRARApplicationInsightsticketDRPSuJetBrainsNewTekWindows Live.rtfPackage CacheRAV Endpoint ProtectionTeraBoxTransferSupportRazer\Amazon MusicbhhhlbepdkbapadjdnnojkbgioiodbicSpellingDriverPack Cloud2FAHiSuitedlcobpjiigpikoobohmabehhmhfoodbbFACEIT\tronWebTorrentstremioTSMonitoraccountZXPInstaller\MacromediaCiscoSparkHewlett-PackardToolbarcartiTop PDFpayCode\NoxeurRealwebviewScreenadspower_globalTencentSnapshotsUI LauncherCLR_v4.0.pdfClassicShellltc.pngF8806DD0C461824Fuser_data#5CLR_v2.0_32.openshot_qtD877F783D5D3EF8CDoremidaiDropboxarduino-ideCreativeFiveM\.xlsSamsung MagicianokxNVIDIA Corporation\ReasonSaferWebIdentityCachecomponentsWhatsApp\FacebookLlaveuser_data#4TokenBrokerJDownloader 2.0Valve Corporationexodus.walletVirtualStoreWondershareCode - Insiders\DiscoveryLibreOfficeklnaejjgbibmhlephnhpmaofohgkpgkdZomboidCrashReportClientJavaScriptLedger Live\Rocket LeagueARMDropboxElectronNavegadorSeguroCENEVALSidify Music Converterbluestacks-servicesIK Product ManagerSony CorporationAdawareCredentialsVS Revo Groupuser_dataMiniTool Video ConverterOneNoteOverwolf\EasyAntiCheatDataFolderimportdeemix MusicLavasoftVMwareDATAparkPublicSlackPreSonusRealNetworksRealPlayercom.liberty.jaxxMcAfee_IncTreexyAndroid Open Source Project\Program Files (x86)Riot Games\ContactsXpomBlack Sea Studiosassets.arduinoIDEMicrosoft GamesAdobeSearchesGuest ProfileSpeechQRmainWindows StoreJackbox GamesNotionPunkBusterHabbo Launchernodobs-studio\ljfoeinjpaedjfecbmggjgodbgkmjkjkindexpipCrystal DynamicsPowerISOEOS Webcam UtilityVirtualBoxBlendEdgeUpdateU |