Source: file.exe.7432.0.memstrmin |
Malware Configuration Extractor: Cryptbot {"C2 list": ["analforeverlovyu.top", "pn.top", "n.top", "0asevtbv17pn.top", "+sevtbv17pn.top", "@sevtbv17pn.top", "sevtbv17pn.top"]} |
Source: file.exe |
ReversingLabs: Detection: 34% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_005315B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, |
4_2_005315B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2F14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, |
4_2_6C2F14B0 |
Source: file.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: file.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\Documents\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Temp |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea ecx, dword ptr [esp+04h] |
4_2_005381E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C36AC70 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C36AD20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C36AD20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push edi |
4_2_6C392EF0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C30AF80 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, 6C3CF960h |
4_2_6C30E8C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C31E490 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
4_2_6C31E490 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
4_2_6C3104F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, ecx |
4_2_6C3904E0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C310610 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
4_2_6C31A720 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C31A790 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
4_2_6C31A790 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
4_2_6C310010 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [6C3CD014h] |
4_2_6C3C4110 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C314203 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebx |
4_2_6C398250 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx] |
4_2_6C31C2C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
4_2_6C31A330 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C31A3A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+08h] |
4_2_6C31A3A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C36BDF0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C36BF50 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [ecx+04h] |
4_2_6C349F90 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
4_2_6C3A9900 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
4_2_6C32B987 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
4_2_6C32B98B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C36BAC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push esi |
4_2_6C367AC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] |
4_2_6C31D424 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, 6C3CDFF4h |
4_2_6C363440 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+08h] |
4_2_6C31D5A4 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push edi |
4_2_6C3635F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then lea eax, dword ptr [ecx+04h] |
4_2_6C31D724 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C31D050 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebx |
4_2_6C387100 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then push ebp |
4_2_6C31D2B4 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then sub esp, 1Ch |
4_2_6C36B280 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4x nop then mov eax, dword ptr [esp+04h] |
4_2_6C3693B0 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49730 -> 80.66.81.78:80 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49731 -> 80.66.81.78:80 |
Source: Network traffic |
Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49734 -> 80.66.81.78:80 |
Source: Malware configuration extractor |
URLs: analforeverlovyu.top |
Source: Malware configuration extractor |
URLs: pn.top |
Source: Malware configuration extractor |
URLs: n.top |
Source: Malware configuration extractor |
URLs: 0asevtbv17pn.top |
Source: Malware configuration extractor |
URLs: +sevtbv17pn.top |
Source: Malware configuration extractor |
URLs: @sevtbv17pn.top |
Source: Malware configuration extractor |
URLs: sevtbv17pn.top |
Source: Joe Sandbox View |
ASN Name: TEAM-HOSTASRU TEAM-HOSTASRU |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary70837388User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 411Host: sevtbv17pn.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary12658505User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 89281Host: sevtbv17pn.top |
Source: global traffic |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary60576727User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 31924Host: sevtbv17pn.top |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: sevtbv17pn.top |
Source: unknown |
HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary70837388User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 411Host: sevtbv17pn.top |
Source: file.exe, 00000000.00000003.1859870408.00000000010FA000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://sevtbv17pn.top/ |
Source: file.exe, 00000000.00000003.1859870408.00000000010FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768676819.00000000010DF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://sevtbv17pn.top/v1/upload.php |
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search |
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command= |
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: TMdMlTZMAWbrEijBRYMr.dll.0.dr |
String found in binary or memory: https://gcc.gnu.org/bugs/): |
Source: file.exe |
String found in binary or memory: https://keruzam.com/update.php?compName |
Source: file.exe, 00000000.00000003.2374347014.000000006A364000.00000002.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://keruzam.com/update.php?compName= |
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.ecosia.org/newtab/ |
Source: file.exe, 00000000.00000003.1824507467.0000000001BE3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C309B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber, |
4_2_6C309B99 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C309B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber, |
4_2_6C309B99 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_005351B0 |
4_2_005351B0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_00533E20 |
4_2_00533E20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2FCD00 |
4_2_6C2FCD00 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2FEE50 |
4_2_6C2FEE50 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3B4E80 |
4_2_6C3B4E80 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C300FC0 |
4_2_6C300FC0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C340870 |
4_2_6C340870 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C332A7E |
4_2_6C332A7E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C334490 |
4_2_6C334490 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3044F0 |
4_2_6C3044F0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C328570 |
4_2_6C328570 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C330580 |
4_2_6C330580 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C322110 |
4_2_6C322110 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C33FE10 |
4_2_6C33FE10 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C331E40 |
4_2_6C331E40 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C305880 |
4_2_6C305880 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C33D99E |
4_2_6C33D99E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C34DA20 |
4_2_6C34DA20 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C31F510 |
4_2_6C31F510 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3296A0 |
4_2_6C3296A0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3377D0 |
4_2_6C3377D0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C2F3000 |
4_2_6C2F3000 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3070C0 |
4_2_6C3070C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3311BE |
4_2_6C3311BE |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3412C0 |
4_2_6C3412C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C33F3C0 |
4_2_6C33F3C0 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C3BAB60 appears 49 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C3C3490 appears 45 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C3C3310 appears 42 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C3C5980 appears 83 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C3C5A70 appears 77 times |
|
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: String function: 6C3C38D0 appears 38 times |
|
Source: file.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: classification engine |
Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Mutant created: \Sessions\1\BaseNamedObjects\uoijNYchjvFkhpkdArrg |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03 |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: file.exe, 00000000.00000003.1824507467.0000000001C34000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key)); |
Source: file.exe |
ReversingLabs: Detection: 34% |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe" |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
|
Source: C:\Windows\SysWOW64\schtasks.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe |
|
Source: unknown |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dlnashext.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wpdshext.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: tmdmltzmawbreijbrymr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: tmdmltzmawbreijbrymr.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Section loaded: tmdmltzmawbreijbrymr.dll |
Jump to behavior |
Source: file.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: file.exe |
Static file information: File size 7457792 > 1048576 |
Source: file.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4c5600 |
Source: file.exe |
Static PE information: Raw size of .data is bigger than: 0x100000 < 0x1da600 |
Source: file.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_00538230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, |
4_2_00538230 |
Source: file.exe |
Static PE information: section name: .eh_fram |
Source: service123.exe.0.dr |
Static PE information: section name: .eh_fram |
Source: TMdMlTZMAWbrEijBRYMr.dll.0.dr |
Static PE information: section name: .eh_fram |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_0053A499 push es; iretd |
4_2_0053A694 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C338C2A push edx; mov dword ptr [esp], ebx |
4_2_6C338C3E |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C364DB0 push eax; mov dword ptr [esp], ebx |
4_2_6C365018 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C344DC1 push eax; mov dword ptr [esp], ebx |
4_2_6C344DD5 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C336E03 push edx; mov dword ptr [esp], ebx |
4_2_6C336E17 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C344FA1 push eax; mov dword ptr [esp], ebx |
4_2_6C344FB5 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C36E860 push eax; mov dword ptr [esp], ebx |
4_2_6C36E98B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C358850 push eax; mov dword ptr [esp], ebx |
4_2_6C358E4F |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C340852 push eax; mov dword ptr [esp], ebx |
4_2_6C340866 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C34285C push edx; mov dword ptr [esp], ebx |
4_2_6C342870 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3729A0 push eax; mov dword ptr [esp], ebx |
4_2_6C372CD4 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3729A0 push edx; mov dword ptr [esp], ebx |
4_2_6C372CF3 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3A09E0 push eax; mov dword ptr [esp], edi |
4_2_6C3A0B5A |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C36EAC0 push eax; mov dword ptr [esp], ebx |
4_2_6C36EBE3 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C344BE1 push eax; mov dword ptr [esp], ebx |
4_2_6C344BF5 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C380460 push eax; mov dword ptr [esp], ebx |
4_2_6C3807FF |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C330452 push eax; mov dword ptr [esp], ebx |
4_2_6C33048A |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C348451 push 890005EAh; ret |
4_2_6C348459 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3304BE push eax; mov dword ptr [esp], ebx |
4_2_6C33048A |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3364A3 push edx; mov dword ptr [esp], ebx |
4_2_6C3364B7 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3304AD push eax; mov dword ptr [esp], ebx |
4_2_6C33048A |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C33A527 push eax; mov dword ptr [esp], ebx |
4_2_6C33A53B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C311AAA push eax; mov dword ptr [esp], ebx |
4_2_6C3C6622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C311AAA push eax; mov dword ptr [esp], ebx |
4_2_6C3C6622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C33A6F7 push eax; mov dword ptr [esp], ebx |
4_2_6C33A70B |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C316003 push eax; mov dword ptr [esp], ebx |
4_2_6C3C6AF6 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C316003 push edx; mov dword ptr [esp], edi |
4_2_6C3C6B36 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C316098 push eax; mov dword ptr [esp], ebx |
4_2_6C3C6622 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3440D5 push ecx; mov dword ptr [esp], ebx |
4_2_6C3440E9 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C3381E5 push edx; mov dword ptr [esp], ebx |
4_2_6C3381F9 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_6C33023B push eax; mov dword ptr [esp], ebx |
4_2_6C330251 |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Evasive API call chain: CreateMutex,DecisionNodes,Sleep |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Stalling execution: Execution stalls by calling Sleep |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
API coverage: 1.1 % |
Source: C:\Users\user\Desktop\file.exe TID: 7516 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 8020 |
Thread sleep count: 589 > 30 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 8020 |
Thread sleep time: -58900s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Last function: Thread delayed |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\Documents\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Temp |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\Desktop\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local |
Jump to behavior |
Source: file.exe |
Binary or memory string: VMware |
Source: file.exe, 00000000.00000003.1781292878.00000000010E4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1859884995.00000000010DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375435758.00000000010DF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1768676819.00000000010E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2375435758.000000000109E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_00538230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, |
4_2_00538230 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_0053116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit, |
4_2_0053116C |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_00531160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, |
4_2_00531160 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_005311A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, |
4_2_005311A3 |
Source: C:\Users\user\AppData\Local\Temp\service123.exe |
Code function: 4_2_005313C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm, |
4_2_005313C9 |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f |
Jump to behavior |
Source: Yara match |
File source: 4.2.service123.exe.6c2f0000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000003.2351645168.0000000004495000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 7432, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: service123.exe PID: 8016, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 7432, type: MEMORYSTR |
Source: file.exe |
String found in binary or memory: Electrum |
Source: file.exe |
String found in binary or memory: \ElectronCash\wallets |
Source: file.exe |
String found in binary or memory: com.liberty.jaxx |
Source: file.exe |
String found in binary or memory: \Exodus\backup |
Source: file.exe |
String found in binary or memory: exodus |
Source: file.exe |
String found in binary or memory: Ethereum (UTC) |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data |
Jump to behavior |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 7432, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 7432, type: MEMORYSTR |