Windows Analysis Report
O5OjRoFGIW.exe

Overview

General Information

Sample name: O5OjRoFGIW.exe
renamed because original name is a hash value
Original sample name: bdf110e30158c8edbc6f15cd0aff3576.bin.exe
Analysis ID: 1416908
MD5: bdf110e30158c8edbc6f15cd0aff3576
SHA1: 3546d2ceb3745787480b111c9059c31456f868ac
SHA256: 1e1d285a41469ec9a7a356475e4c9040fc54a088862b6ca5caf91f71fa986925
Tags: DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains potential unpacker
Creates processes via WMI
Drops PE files with a suspicious file extension
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: WScript or CScript Dropper
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SIDT)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Floppy.scr Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\qaZuUyhTvy3Ow0sR3yWsCVR.vbe Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files\Google\SystemSettings.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Recovery\WmiPrvSE.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\Desktop\tnSpZLqX.log Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\NKQvtzqn.log Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\jDownloader\config\RuntimeBroker.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\Desktop\nMwiLBfl.log Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\RsXUWNQa.log Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Recovery\conhost.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\zh7ztWDiYf.bat Avira: detection malicious, Label: BAT/Runner.IK
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\jDownloader\config\RuntimeBroker.exe ReversingLabs: Detection: 54%
Source: C:\Program Files (x86)\jDownloader\config\RuntimeBroker.exe Virustotal: Detection: 52% Perma Link
Source: C:\Program Files\Google\SystemSettings.exe ReversingLabs: Detection: 54%
Source: C:\Program Files\Google\SystemSettings.exe Virustotal: Detection: 52% Perma Link
Source: C:\Recovery\WmiPrvSE.exe ReversingLabs: Detection: 54%
Source: C:\Recovery\WmiPrvSE.exe Virustotal: Detection: 52% Perma Link
Source: C:\Recovery\conhost.exe ReversingLabs: Detection: 54%
Source: C:\Recovery\conhost.exe Virustotal: Detection: 52% Perma Link
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Virustotal: Detection: 52% Perma Link
Source: C:\Users\user\AppData\Roaming\Floppy.scr ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Roaming\Floppy.scr Virustotal: Detection: 56% Perma Link
Source: C:\Users\user\Desktop\AlGpCalM.log Virustotal: Detection: 7% Perma Link
Source: C:\Users\user\Desktop\JOOemUAt.log Virustotal: Detection: 7% Perma Link
Source: C:\Users\user\Desktop\JxHMXyHr.log Virustotal: Detection: 21% Perma Link
Source: C:\Users\user\Desktop\NKQvtzqn.log ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\NKQvtzqn.log Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\Desktop\aWfJGGgI.log Virustotal: Detection: 7% Perma Link
Source: C:\Users\user\Desktop\iZejiEQx.log Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for submitted file
Source: O5OjRoFGIW.exe ReversingLabs: Detection: 50%
Source: O5OjRoFGIW.exe Virustotal: Detection: 49% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Floppy.scr Joe Sandbox ML: detected
Source: C:\Program Files\Google\SystemSettings.exe Joe Sandbox ML: detected
Source: C:\Recovery\WmiPrvSE.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\JOOemUAt.log Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\AlGpCalM.log Joe Sandbox ML: detected
Source: C:\Program Files (x86)\jDownloader\config\RuntimeBroker.exe Joe Sandbox ML: detected
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Joe Sandbox ML: detected
Source: C:\Recovery\conhost.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: O5OjRoFGIW.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: O5OjRoFGIW.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Directory created: C:\Program Files\Google\SystemSettings.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Directory created: C:\Program Files\Google\9e60a5f7a3bd80 Jump to behavior
Source: O5OjRoFGIW.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Floppy.scr
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\initialexe\chrome.exe.pdb source: chrome.exe
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: O5OjRoFGIW.exe
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_proxy.exe.pdb source: chrome_proxy.exe
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B83230 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00B83230
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B93AC0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_00B93AC0
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00BA2788 FindFirstFileExA, 0_2_00BA2788
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008CA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 2_2_008CA69B
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008DC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 2_2_008DC220
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008EB348 FindFirstFileExA, 2_2_008EB348
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh 6_2_00007FF8490E83CD
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 4x nop then jmp 00007FF849679BBEh 6_2_00007FF8496799B5
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Code function: 4x nop then jmp 00007FF848F427F6h 35_2_00007FF848F425EE
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Code function: 4x nop then jmp 00007FF848F227F6h 36_2_00007FF848F225EE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.5:49711 -> 80.66.84.71:80
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: chrome.exe, chrome_proxy.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: chrome.exe, chrome_proxy.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: chrome.exe, chrome_proxy.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: chrome.exe, chrome_proxy.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: chrome.exe, chrome_proxy.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: chrome.exe, chrome_proxy.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: chrome.exe, chrome_proxy.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: chrome_proxy.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: chrome.exe, chrome_proxy.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: chrome.exe, chrome_proxy.exe String found in binary or memory: http://ocsp.digicert.com0
Source: chrome.exe, chrome_proxy.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: chrome.exe, chrome_proxy.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: chrome.exe, chrome_proxy.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: servernet.exe, 00000006.00000002.2115240562.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, servernet.exe, 00000006.00000002.2115240562.0000000002644000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome.exe, chrome_proxy.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: chrome.exe String found in binary or memory: https://crashpad.chromium.org/
Source: chrome.exe String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: chrome.exe String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008C6FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 2_2_008C6FAA
Creates files inside the system directory
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Windows\en-GB\9edda0bcc19ef6 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B84783 0_2_00B84783
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B93F67 0_2_00B93F67
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00BA4880 0_2_00BA4880
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B8C084 0_2_00B8C084
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B861C8 0_2_00B861C8
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B8AA76 0_2_00B8AA76
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00BA4D2E 0_2_00BA4D2E
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B9C52D 0_2_00B9C52D
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B85D20 0_2_00B85D20
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B8CD21 0_2_00B8CD21
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00BA8E34 0_2_00BA8E34
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B85769 0_2_00B85769
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B9C75C 0_2_00B9C75C
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008C848E 2_2_008C848E
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008D4088 2_2_008D4088
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008D00B7 2_2_008D00B7
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008C40FE 2_2_008C40FE
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008E51C9 2_2_008E51C9
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008D7153 2_2_008D7153
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008D62CA 2_2_008D62CA
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008C32F7 2_2_008C32F7
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008D43BF 2_2_008D43BF
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008CC426 2_2_008CC426
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008ED440 2_2_008ED440
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008CF461 2_2_008CF461
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008D77EF 2_2_008D77EF
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008ED8EE 2_2_008ED8EE
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008C286B 2_2_008C286B
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008CE9B7 2_2_008CE9B7
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008F19F4 2_2_008F19F4
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008D6CDC 2_2_008D6CDC
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008D3E0B 2_2_008D3E0B
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008E4F9A 2_2_008E4F9A
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008CEFE2 2_2_008CEFE2
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF848F31ABD 6_2_00007FF848F31ABD
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF848F31300 6_2_00007FF848F31300
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF8490EF409 6_2_00007FF8490EF409
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF8490F1447 6_2_00007FF8490F1447
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF8490F2C95 6_2_00007FF8490F2C95
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF8490E2BF3 6_2_00007FF8490E2BF3
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF8490F16D4 6_2_00007FF8490F16D4
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF8490EF6C3 6_2_00007FF8490EF6C3
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF8490F15F4 6_2_00007FF8490F15F4
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF8490F20F2 6_2_00007FF8490F20F2
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF8490EF71D 6_2_00007FF8490EF71D
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF849678E92 6_2_00007FF849678E92
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF849677A20 6_2_00007FF849677A20
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF849676EAD 6_2_00007FF849676EAD
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Code function: 35_2_00007FF848F3FD39 35_2_00007FF848F3FD39
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Code function: 35_2_00007FF848F3DF3E 35_2_00007FF848F3DF3E
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Code function: 35_2_00007FF848F31ABD 35_2_00007FF848F31ABD
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Code function: 36_2_00007FF848F11ABD 36_2_00007FF848F11ABD
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Code function: 36_2_00007FF848F1FD39 36_2_00007FF848F1FD39
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Code function: 36_2_00007FF848F1DF3E 36_2_00007FF848F1DF3E
Source: C:\Program Files\Google\SystemSettings.exe Code function: 39_2_00007FF848F11ABD 39_2_00007FF848F11ABD
Source: C:\Program Files\Google\SystemSettings.exe Code function: 39_2_00007FF848F11300 39_2_00007FF848F11300
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\AlGpCalM.log F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: String function: 00B96600 appears 47 times
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: String function: 008DEC50 appears 56 times
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: String function: 008DF5F0 appears 31 times
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: String function: 008DEB78 appears 39 times
PE file contains executable resources (Code or Archives)
Source: JxHMXyHr.log.6.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: NKQvtzqn.log.6.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: LAuuthLm.log.6.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: tnSpZLqX.log.6.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: jEyZpjlp.log.6.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: aWfJGGgI.log.6.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RsXUWNQa.log.6.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: JOOemUAt.log.6.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: AlGpCalM.log.6.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: iZejiEQx.log.6.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
PE file contains more sections than normal
Source: chrome.exe.0.dr Static PE information: Number of sections : 12 > 10
Tries to load missing DLLs
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: mscoree.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: apphelp.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: version.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: uxtheme.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: wldp.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: amsi.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: userenv.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: profapi.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: windows.storage.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: cryptsp.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: rsaenh.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: cryptbase.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: sspicli.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: mscoree.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: version.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: uxtheme.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: wldp.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: amsi.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: userenv.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: profapi.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: windows.storage.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: cryptsp.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: rsaenh.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: cryptbase.dll
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Section loaded: sspicli.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: mscoree.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: version.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: uxtheme.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: wldp.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: amsi.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: userenv.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: profapi.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: windows.storage.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: cryptsp.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: rsaenh.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: cryptbase.dll
Source: C:\Program Files\Google\SystemSettings.exe Section loaded: sspicli.dll
Uses 32bit PE files
Source: O5OjRoFGIW.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: servernet.exe.2.dr Static PE information: Section: .reloc ZLIB complexity 0.99609375
Source: conhost.exe.6.dr Static PE information: Section: .reloc ZLIB complexity 0.99609375
Source: RuntimeBroker.exe.6.dr Static PE information: Section: .reloc ZLIB complexity 0.99609375
Source: WmiPrvSE.exe.6.dr Static PE information: Section: .reloc ZLIB complexity 0.99609375
Source: SystemSettings.exe.6.dr Static PE information: Section: .reloc ZLIB complexity 0.99609375
Source: XxjbrMQQJwIwk.exe.6.dr Static PE information: Section: .reloc ZLIB complexity 0.99609375
Source: JxHMXyHr.log.6.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: NKQvtzqn.log.6.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: LAuuthLm.log.6.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: tnSpZLqX.log.6.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: jEyZpjlp.log.6.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: aWfJGGgI.log.6.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: RsXUWNQa.log.6.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: JOOemUAt.log.6.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: AlGpCalM.log.6.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: iZejiEQx.log.6.dr, -.cs Cryptographic APIs: 'TransformFinalBlock'
Source: chrome.exe Binary string: \Device\DeviceApi
Source: chrome.exe Binary string: PathSystemDriveSystemRootTEMPTMPCHROME_CRASHPAD_PIPE_NAMEprocessIdtaglockdownLeveljobLeveldesiredIntegrityLeveldesiredMitigationsplatformMitigationscomponentFiltersappContainerSidappContainerCapabilitiesappContainerInitialCapabilitieslowboxSidpolicyRulesdisabledenableddisconnectCsrsszeroAppShimhandlesToCloseLockdownLimitedInteractiveRestricted Same AccessRestricted Non AdminLimited UserUnprotectedS-1-16-16384 SystemS-1-16-12288 HighS-1-16-8192 MediumS-1-16-6144 Medium LowS-1-16-4096 LowS-1-16-2048 Below LowS-1-16-0 Untrusted%016llx%016llx%016llx%08lxp[%d] == %xp[%d] == %pp[%d] & %x(p[%d], '%ls')exactprefixscanendsaskBrokerdenyalarmfakeSuccessfakeDeniedUnusedPing1Ping2NtOpenFileNtSetInfoRenameGdiDllInitializeGetStockObjectRegisterClassW*\windows_shell_global_counters\Device\DeviceApi\Device\KsecDDALPC Port{
Source: chrome.exe Binary string: \??\pipe\\\.\\Device\\Device\HarddiskVolume\Device\\/?/?\\??\ntdll.dllntdll.dllNtOpenProcessNtOpenProcessTokenNtSetInformationThreadNtOpenThreadTokenNtOpenThreadTokenExkernel32.dll
Source: chrome.exe Binary string: \Device\KsecDD
Source: O5OjRoFGIW.exe Binary or memory string: M.slN
Source: classification engine Classification label: mal100.troj.evad.winEXE@33/35@0/0
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B8193A GetLastError,FormatMessageW, 0_2_00B8193A
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B91D72 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_00B91D72
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Program Files (x86)\jdownloader\config\RuntimeBroker.exe Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe File created: C:\Users\user\AppData\Roaming\__tmp_rar_sfx_access_check_5286781 Jump to behavior
Source: C:\Program Files\Google\SystemSettings.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\070d7c3f3b5f3bf1f940a356daf6c3cd918d3ef7a2e6dc815806c537005a76ba
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\AppData\Local\Temp\VN2HXX5oOb Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\nbrdiKRtfK6.bat" "
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Command line argument: sfxname 0_2_00B95833
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Command line argument: sfxstime 0_2_00B95833
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Command line argument: STARTDLG 0_2_00B95833
Source: C:\Users\user\AppData\Roaming\Floppy.scr Command line argument: sfxname 2_2_008DDF1E
Source: C:\Users\user\AppData\Roaming\Floppy.scr Command line argument: sfxstime 2_2_008DDF1E
Source: C:\Users\user\AppData\Roaming\Floppy.scr Command line argument: STARTDLG 2_2_008DDF1E
Source: O5OjRoFGIW.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: O5OjRoFGIW.exe ReversingLabs: Detection: 50%
Source: O5OjRoFGIW.exe Virustotal: Detection: 49%
Source: chrome.exe String found in binary or memory: Try '%ls --help' for more information.
Source: chrome.exe String found in binary or memory: Try '%ls --help' for more information.
Source: chrome.exe String found in binary or memory: partition_alloc/address_space
Source: chrome.exe String found in binary or memory: --help display this help and exit
Source: chrome.exe String found in binary or memory: --help display this help and exit
Source: chrome.exe String found in binary or memory: free-invalid-address
Source: chrome.exe String found in binary or memory: ..\..\components\gwp_asan\crash_handler\crash_handler.ccDetected GWP-ASan crash with missing metadata.Detected GWP-ASan crash for allocation at 0x) of type Invalid address passed to free() is Experienced internal error: partitionallocunexpected allocator typeheap-use-after-freeheap-buffer-underflowheap-buffer-overflowdouble-freefree-invalid-addresslightweight-heap-use-after-freeunexpected error type
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe File read: C:\Users\user\Desktop\O5OjRoFGIW.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\O5OjRoFGIW.exe "C:\Users\user\Desktop\O5OjRoFGIW.exe"
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Users\user\AppData\Roaming\Floppy.scr "C:\Users\user\AppData\Roaming\Floppy.scr" /S
Source: C:\Users\user\AppData\Roaming\Floppy.scr Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\qaZuUyhTvy3Ow0sR3yWsCVR.vbe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\nbrdiKRtfK6.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe "C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon/servernet.exe"
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\conhost.exe'" /f
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\jdownloader\config\RuntimeBroker.exe'" /f
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\jdownloader\config\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\jdownloader\config\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WmiPrvSE.exe'" /f
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XxjbrMQQJwIwkX" /sc MINUTE /mo 14 /tr "'C:\Windows\en-GB\XxjbrMQQJwIwk.exe'" /f
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XxjbrMQQJwIwkX" /sc MINUTE /mo 10 /tr "'C:\Windows\en-GB\XxjbrMQQJwIwk.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zh7ztWDiYf.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown Process created: C:\Windows\en-GB\XxjbrMQQJwIwk.exe C:\Windows\en-GB\XxjbrMQQJwIwk.exe
Source: unknown Process created: C:\Windows\en-GB\XxjbrMQQJwIwk.exe C:\Windows\en-GB\XxjbrMQQJwIwk.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\SystemSettings.exe "C:\Program Files\Google\SystemSettings.exe"
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Users\user\AppData\Roaming\Floppy.scr "C:\Users\user\AppData\Roaming\Floppy.scr" /S Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\qaZuUyhTvy3Ow0sR3yWsCVR.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\nbrdiKRtfK6.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe "C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon/servernet.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zh7ztWDiYf.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\SystemSettings.exe "C:\Program Files\Google\SystemSettings.exe"
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Directory created: C:\Program Files\Google\SystemSettings.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Directory created: C:\Program Files\Google\9e60a5f7a3bd80 Jump to behavior
Source: O5OjRoFGIW.exe Static file information: File size 4633996 > 1048576
Source: O5OjRoFGIW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: O5OjRoFGIW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: O5OjRoFGIW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: O5OjRoFGIW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: O5OjRoFGIW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: O5OjRoFGIW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: O5OjRoFGIW.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: O5OjRoFGIW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: Floppy.scr
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\initialexe\chrome.exe.pdb source: chrome.exe
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: O5OjRoFGIW.exe
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_proxy.exe.pdb source: chrome_proxy.exe
Source: O5OjRoFGIW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: O5OjRoFGIW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: O5OjRoFGIW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: O5OjRoFGIW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: O5OjRoFGIW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: servernet.exe.2.dr, _.cs .Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: conhost.exe.6.dr, _.cs .Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: RuntimeBroker.exe.6.dr, _.cs .Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: WmiPrvSE.exe.6.dr, _.cs .Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: SystemSettings.exe.6.dr, _.cs .Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: XxjbrMQQJwIwk.exe.6.dr, _.cs .Net Code: Main System.Reflection.Assembly.Load(byte[])
File is packed with WinRar
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe File created: C:\Users\user\AppData\Roaming\__tmp_rar_sfx_access_check_5286781 Jump to behavior
PE file contains sections with non-standard names
Source: O5OjRoFGIW.exe Static PE information: section name: .didat
Source: chrome_proxy.exe.0.dr Static PE information: section name: .gxfg
Source: chrome_proxy.exe.0.dr Static PE information: section name: .retplne
Source: chrome_proxy.exe.0.dr Static PE information: section name: _RDATA
Source: chrome.exe.0.dr Static PE information: section name: .gxfg
Source: chrome.exe.0.dr Static PE information: section name: .retplne
Source: chrome.exe.0.dr Static PE information: section name: CPADinfo
Source: chrome.exe.0.dr Static PE information: section name: _RDATA
Source: chrome.exe.0.dr Static PE information: section name: malloc_h
Source: Floppy.scr.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D3B5B push ecx; ret 0_3_034D3AF9
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D3B5B push ecx; ret 0_3_034D3AF9
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D5A7A push eax; iretd 0_3_034D5AF1
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D5A7A push eax; iretd 0_3_034D5AF1
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D5A02 pushfd ; ret 0_3_034D5A0D
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D5A02 pushfd ; ret 0_3_034D5A0D
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D3B1A push ebp; ret 0_3_034D3AD9
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D3B1A push ebp; ret 0_3_034D3AD9
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D58EA push ss; iretd 0_3_034D58C1
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D58EA push ss; iretd 0_3_034D58C1
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D5AF3 push eax; iretd 0_3_034D5AF1
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D5AF3 push eax; iretd 0_3_034D5AF1
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D3ABA push ecx; ret 0_3_034D3AF9
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D3ABA push ecx; ret 0_3_034D3AF9
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D3B5B push ecx; ret 0_3_034D3AF9
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D3B5B push ecx; ret 0_3_034D3AF9
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D5A7A push eax; iretd 0_3_034D5AF1
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D5A7A push eax; iretd 0_3_034D5AF1
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D5A02 pushfd ; ret 0_3_034D5A0D
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D5A02 pushfd ; ret 0_3_034D5A0D
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D3B1A push ebp; ret 0_3_034D3AD9
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D3B1A push ebp; ret 0_3_034D3AD9
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D58EA push ss; iretd 0_3_034D58C1
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D58EA push ss; iretd 0_3_034D58C1
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D5AF3 push eax; iretd 0_3_034D5AF1
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D5AF3 push eax; iretd 0_3_034D5AF1
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D3ABA push ecx; ret 0_3_034D3AF9
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_3_034D3ABA push ecx; ret 0_3_034D3AF9
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B973C0 push ecx; ret 0_2_00B973D3
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B96575 push ecx; ret 0_2_00B96588
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008DF640 push ecx; ret 2_2_008DF653

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files with a suspicious file extension
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe File created: C:\Users\user\AppData\Roaming\Floppy.scr Jump to dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknown Executable created and started: C:\Windows\en-GB\XxjbrMQQJwIwk.exe
Drops PE files
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Recovery\conhost.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\NKQvtzqn.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\AlGpCalM.log Jump to dropped file
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe File created: C:\Users\user\AppData\Roaming\chrome.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\jEyZpjlp.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Floppy.scr File created: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Program Files\Google\SystemSettings.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\RsXUWNQa.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\cYRsbpkD.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\nMwiLBfl.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Recovery\WmiPrvSE.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\iZejiEQx.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Program Files (x86)\jDownloader\config\RuntimeBroker.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\LAuuthLm.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Jump to dropped file
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe File created: C:\Users\user\AppData\Roaming\Floppy.scr Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\JOOemUAt.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\wvPyvekT.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\tnSpZLqX.log Jump to dropped file
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe File created: C:\Users\user\AppData\Roaming\chrome_proxy.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\JxHMXyHr.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\aWfJGGgI.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\WfpSyKfO.log Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\JxHMXyHr.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\NKQvtzqn.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\LAuuthLm.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\tnSpZLqX.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\jEyZpjlp.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\aWfJGGgI.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\RsXUWNQa.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\JOOemUAt.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\AlGpCalM.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\iZejiEQx.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\WfpSyKfO.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\wvPyvekT.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\nMwiLBfl.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File created: C:\Users\user\Desktop\cYRsbpkD.log Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\conhost.exe'" /f
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Google\SystemSettings.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Memory allocated: 9B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Memory allocated: 1A330000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Memory allocated: 1080000 memory reserve | memory write watch
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Memory allocated: 1A9F0000 memory reserve | memory write watch
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Memory allocated: 1330000 memory reserve | memory write watch
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Memory allocated: 1B110000 memory reserve | memory write watch
Source: C:\Program Files\Google\SystemSettings.exe Memory allocated: F70000 memory reserve | memory write watch
Source: C:\Program Files\Google\SystemSettings.exe Memory allocated: 1AFA0000 memory reserve | memory write watch
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF8490F33FC rdtsc 6_2_00007FF8490F33FC
Contains functionality to detect virtual machines (SIDT)
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Code function: 36_2_00007FF848F2E03C sidt fword ptr [ecx-08h] 36_2_00007FF848F2E03C
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF8490E3FA4 sldt word ptr [eax] 6_2_00007FF8490E3FA4
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Google\SystemSettings.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Dropped PE file which has not been started: C:\Users\user\Desktop\AlGpCalM.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Dropped PE file which has not been started: C:\Users\user\Desktop\NKQvtzqn.log Jump to dropped file
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\chrome.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Dropped PE file which has not been started: C:\Users\user\Desktop\jEyZpjlp.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Dropped PE file which has not been started: C:\Users\user\Desktop\RsXUWNQa.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Dropped PE file which has not been started: C:\Users\user\Desktop\cYRsbpkD.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Dropped PE file which has not been started: C:\Users\user\Desktop\nMwiLBfl.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Dropped PE file which has not been started: C:\Users\user\Desktop\iZejiEQx.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Dropped PE file which has not been started: C:\Users\user\Desktop\LAuuthLm.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Dropped PE file which has not been started: C:\Users\user\Desktop\wvPyvekT.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Dropped PE file which has not been started: C:\Users\user\Desktop\JOOemUAt.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Dropped PE file which has not been started: C:\Users\user\Desktop\tnSpZLqX.log Jump to dropped file
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\chrome_proxy.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Dropped PE file which has not been started: C:\Users\user\Desktop\aWfJGGgI.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Dropped PE file which has not been started: C:\Users\user\Desktop\JxHMXyHr.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Dropped PE file which has not been started: C:\Users\user\Desktop\WfpSyKfO.log Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Roaming\Floppy.scr Evasive API call chain: GetLocalTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe TID: 4128 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe TID: 7432 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe TID: 7476 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Google\SystemSettings.exe TID: 7924 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Google\SystemSettings.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B83230 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00B83230
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B93AC0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_00B93AC0
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00BA2788 FindFirstFileExA, 0_2_00BA2788
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008CA69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 2_2_008CA69B
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008DC220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 2_2_008DC220
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008EB348 FindFirstFileExA, 2_2_008EB348
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B95FC2 VirtualQuery,GetSystemInfo, 0_2_00B95FC2
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Google\SystemSettings.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: wscript.exe, 00000003.00000003.2072215665.0000000002A78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\6
Source: XxjbrMQQJwIwk.exe, 00000023.00000002.2343315178.0000000012FF2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WOdQmC7fCrkME1WRyNIS2PRVWfEVUdvq/6a1b4EKDE3LnPn/df0t6kc5AnvOp2DTl8iatRq2L91EnNmEoNm/NvEtwlvkxj419K39dc6Gn+X+LuE3yX8Lj/vEqv4d18Gh94WB75/A7z/9hu++yWtiREqls7f1/f7OqhExq3U/5/E3vdQZbLpR2chMpZ+aG1F11mOF10taK0j/5en6by/N1afReiZAL9Wd3o+wvrYzn8fX0Gos6/43SNVyDg3M2tE6sf/cMqNGrEH6MLL5WdEnUmJHSa4qjcWPxxz1uN60794hJV5j+QxNOgPK9eNMP4Ond0BnZt+ql83kc/vK6Ijyw7NP3uTaAu3ZteSP5bll5h8BPfoh7+/vq3j5mUV5jsSdieR1lfV53oMZh14e7JgRSW8hVaUZWjYOp6Uwmaayafst55Ai9Uu+WLMEIvXTo0GiNucRDVLlFCJEG6QxM+rOIdeVcPwIdofkLcFodC4bsm8eegoL5Vw0eSS09g5cG6VmBZzcdNNbHxJYukGD5BvmbqvVmkThO2zuj1/Ph2r4JKILtahbY+9XZjRaHV3fNt6TnH68k3cmyJ55frNEVLB6Hqs0kQ9zVZsasGPda04LKQs2rfMKFvr32vsm5kcftwhwOBuWE7mddsbjJzkjMfF7Fa9klbeXINvAGcCnCSlYU5S26iKv/dG4C7BRh3tW77C1BEEcxhEk5+mj4VkdIHVxEoWkerhn7CBmqO3C3fKZCtiooCiTGkxDRMhWkaNQmVVX/dNDylsYq93Z2tR1Te7948ZJ5psQz+gSgE2YVy9qQ6rUix+uYfSJ6cw/oNhFtSC09mHtJSjSwFORoi2UCE1vpY0vJXGO4aSU52CPjEChY6f4cT3WGVaMDoj2SOGIuRu2xcadCyLZCq5+82oL+twfI5XNvHrabqBYRwnpyCwe8nLhoGUviTLxygEIxezwQLvMciF+eHMQxN5qSQXdxdpo6cEk9h6QRHY0Ahz6pgARaSFd/4YtF9xeS1d5rgBrA4a8FSL4SEiUrgf1bv84NFuInkyOOj2NrqV+ptdFxx9o7jU0CN2G85r23KLmx+MyKtfpr8b/Jp+xTiotdE0oF28E2MnsJauee+aR2yRUIywSI1h+XdH+MMUG9NGJWcIgFpeH/ZJhRvVsvgckP0cdzhVDDDveWlb2vKDrlGQ59GGKxSF+6PQ8yfYf4nO/SWSMejOUFTrKlkcELbmlsfN1J5vEY02eKzGEP2ui4U6ziUTk4XjPVyahIWextAgbEFLevU5c/gbcGpM5qW3q/wiF624U63U3+YImtEw9CqhkvVtf1k9tmHu7KSUnMj9BCI4NdrwyC4i/9rQ0Y0dV7qi6jt9Zw1w5jqkQRdGdlYMkUQVQlzygBZSwUX6xvdjh9FLcBm6coXfcf15f5fS/Js0/MdBJSFoUAGalnTHHKMEzllnMnbLYT2QzlopBkTCUvAJw64QZ8R8eVZhv8p276XQXArpwAxU4lLP3+CyJnNQguxXPjjmRl+rWlrjxwp68sVvYuHzwkKUE+OqiBwdIm10vuiNCHevcHS6Jto68ZRe+PJKtz7vMLR+vFdEJIM5uVMr+Fp+b0D7KhSCh4P/jH2qanCei5cdRCcbaj9tKJP7fnOwxrzz8LxQq5p4Is75eeBGAxffU/2O/wH4KGXVrZTb/cE0faIzZ8uUHT3d8ix3m2QGgdCz4/XcOhorbKmFkGD9gM28kQYxDkqQr89hGm64msMMk/a2Af4AgdXSVv10KTRcTK1mUVJ0yVhZ2l9XV9HAfDJNUmhT+s6d31L5gBqMH+DLW2UTaQKccV1ayR+o7cvE8TcZ4+GBnMaQ12ZgzPErut+PQhSHicNMcn9juTV1X+Q3M7LDili5z+Wj2afNrLemiHD3KZ+tfuXzGeCtNj8jsdZDCwwv6QmnC7QVQd2hGHoUM5EEmJWbNIaO1YjSSozHBiltRQuSQNA3NP4UXan81aNou1VEFXY0zbcx+5cKirJyiTL7apS6G20/JJPEVKp4vVD/OjqDifmQ7mmLXQfjdMxD/
Source: Floppy.scr, 00000002.00000003.2057552884.0000000003412000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: O5OjRoFGIW.exe, 00000000.00000002.2052937477.00000000034EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yIv
Source: Floppy.scr, 00000002.00000003.2057552884.0000000003412000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Floppy.scr API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Code function: 6_2_00007FF8490F33FC rdtsc 6_2_00007FF8490F33FC
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B97150 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B97150
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B9F3F2 mov eax, dword ptr fs:[00000030h] 0_2_00B9F3F2
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008E7DEE mov eax, dword ptr fs:[00000030h] 2_2_008E7DEE
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00BA3470 GetProcessHeap, 0_2_00BA3470
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process token adjusted: Debug
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Process token adjusted: Debug
Source: C:\Program Files\Google\SystemSettings.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B97150 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B97150
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B972F5 SetUnhandledExceptionFilter, 0_2_00B972F5
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B9B27F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B9B27F
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B96683 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00B96683
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008DF838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_008DF838
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008DF9D5 SetUnhandledExceptionFilter, 2_2_008DF9D5
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008DFBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_008DFBCA
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: 2_2_008E8EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_008E8EBD
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Process created: C:\Users\user\AppData\Roaming\Floppy.scr "C:\Users\user\AppData\Roaming\Floppy.scr" /S Jump to behavior
Source: C:\Users\user\AppData\Roaming\Floppy.scr Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\qaZuUyhTvy3Ow0sR3yWsCVR.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\nbrdiKRtfK6.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe "C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon/servernet.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\zh7ztWDiYf.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\SystemSettings.exe "C:\Program Files\Google\SystemSettings.exe"
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B87228 cpuid 0_2_00B87228
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_00B92758
Source: C:\Users\user\AppData\Roaming\Floppy.scr Code function: GetLocaleInfoW,GetNumberFormatW, 2_2_008DAF0F
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Queries volume information: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\BrowserperfMonitorcommon\servernet.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Queries volume information: C:\Windows\en-GB\XxjbrMQQJwIwk.exe VolumeInformation
Source: C:\Windows\en-GB\XxjbrMQQJwIwk.exe Queries volume information: C:\Windows\en-GB\XxjbrMQQJwIwk.exe VolumeInformation
Source: C:\Program Files\Google\SystemSettings.exe Queries volume information: C:\Program Files\Google\SystemSettings.exe VolumeInformation
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B95833 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_00B95833
Source: C:\Users\user\Desktop\O5OjRoFGIW.exe Code function: 0_2_00B833B7 GetVersionExW, 0_2_00B833B7
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 00000006.00000002.2120879201.0000000012517000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: servernet.exe PID: 6540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: XxjbrMQQJwIwk.exe PID: 7384, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 6.2.servernet.exe.1ac00000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.servernet.exe.1ac00000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2130942025.000000001AC00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2120879201.0000000012517000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 6.2.servernet.exe.1ac00000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.servernet.exe.1ac00000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2130942025.000000001AC00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 00000006.00000002.2120879201.0000000012517000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: servernet.exe PID: 6540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: XxjbrMQQJwIwk.exe PID: 7384, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 6.2.servernet.exe.1ac00000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.servernet.exe.1ac00000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2130942025.000000001AC00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2120879201.0000000012517000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: 6.2.servernet.exe.1ac00000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.servernet.exe.1ac00000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.2130942025.000000001AC00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1416908 Sample: O5OjRoFGIW.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic 2->64 66 Antivirus detection for dropped file 2->66 68 Multi AV Scanner detection for dropped file 2->68 70 11 other signatures 2->70 9 O5OjRoFGIW.exe 9 2->9         started        13 XxjbrMQQJwIwk.exe 2->13         started        15 XxjbrMQQJwIwk.exe 2->15         started        process3 file4 58 C:\Users\user\AppData\...\chrome_proxy.exe, PE32+ 9->58 dropped 60 C:\Users\user\AppData\Roaming\chrome.exe, PE32+ 9->60 dropped 62 C:\Users\user\AppData\Roaming\Floppy.scr, PE32 9->62 dropped 90 Drops PE files with a suspicious file extension 9->90 92 Uses schtasks.exe or at.exe to add and modify task schedules 9->92 94 Creates processes via WMI 9->94 17 Floppy.scr 3 10 9->17         started        21 cmd.exe 9->21         started        23 schtasks.exe 9->23         started        25 14 other processes 9->25 96 Antivirus detection for dropped file 13->96 98 Machine Learning detection for dropped file 13->98 signatures5 process6 file7 46 C:\Users\user\AppData\...\servernet.exe, MS-DOS 17->46 dropped 48 C:\Users\user\...\qaZuUyhTvy3Ow0sR3yWsCVR.vbe, data 17->48 dropped 72 Antivirus detection for dropped file 17->72 74 Multi AV Scanner detection for dropped file 17->74 76 Machine Learning detection for dropped file 17->76 27 wscript.exe 1 17->27         started        78 Uses ping.exe to sleep 21->78 80 Uses ping.exe to check the status of other devices and networks 21->80 30 conhost.exe 21->30         started        32 chcp.com 21->32         started        34 PING.EXE 21->34         started        36 SystemSettings.exe 21->36         started        signatures8 process9 signatures10 100 Windows Scripting host queries suspicious COM object (likely to drop second stage) 27->100 38 cmd.exe 1 27->38         started        process11 process12 40 servernet.exe 3 30 38->40         started        44 conhost.exe 38->44         started        file13 50 C:\Windows\en-GB\XxjbrMQQJwIwk.exe, MS-DOS 40->50 dropped 52 C:\Users\user\Desktop\wvPyvekT.log, PE32 40->52 dropped 54 C:\Users\user\Desktop\tnSpZLqX.log, PE32 40->54 dropped 56 17 other malicious files 40->56 dropped 82 Antivirus detection for dropped file 40->82 84 Multi AV Scanner detection for dropped file 40->84 86 Machine Learning detection for dropped file 40->86 88 Creates processes via WMI 40->88 signatures14
No contacted IP infos