Click to jump to signature section
Source: uk1HIyOQbk.exe | ReversingLabs: Detection: 83% |
Source: uk1HIyOQbk.exe | Virustotal: Detection: 76% | Perma Link |
Source: unknown | HTTPS traffic detected: 51.91.30.159:443 -> 192.168.2.4:49730 version: TLS 1.0 |
Source: uk1HIyOQbk.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: global traffic | HTTP traffic detected: GET /download/16412149/89c46e99b3111e814466/RouletteBotPro_x64.exe HTTP/1.1Host: www.upload.eeConnection: Keep-Alive |
Source: Joe Sandbox View | IP Address: 51.91.30.159 51.91.30.159 |
Source: Joe Sandbox View | JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad |
Source: unknown | HTTPS traffic detected: 51.91.30.159:443 -> 192.168.2.4:49730 version: TLS 1.0 |
Source: unknown | UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic | HTTP traffic detected: GET /download/16412149/89c46e99b3111e814466/RouletteBotPro_x64.exe HTTP/1.1Host: www.upload.eeConnection: Keep-Alive |
Source: unknown | DNS traffic detected: queries for: www.upload.ee |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 29 Mar 2024 07:58:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 425Connection: closeStrict-Transport-Security: max-age=31536000X-XSS-Protection: 1P3P: CP="CAO PSA OUR" |
Source: uk1HIyOQbk.exe, 00000000.00000002.1661402521.00000000036E9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: uk1HIyOQbk.exe, 00000000.00000002.1661402521.0000000003701000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.upload.ee |
Source: uk1HIyOQbk.exe, 00000000.00000002.1661402521.00000000036E9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.upload.ee |
Source: uk1HIyOQbk.exe | String found in binary or memory: https://www.upload.ee/download/16412149/89c46e99b3111e814466/RouletteBotPro_x64.exe |
Source: uk1HIyOQbk.exe, 00000000.00000002.1661402521.0000000003721000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.upload.ee/files/16412149/RouletteBotPro_x64.exe.html?msg=sess_error |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49730 |
Source: unknown | Network traffic detected: HTTP traffic on port 49730 -> 443 |
Source: uk1HIyOQbk.exe | Static PE information: No import functions for PE file found |
Source: uk1HIyOQbk.exe, 00000000.00000000.1616414840.00000000001C2000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameRoulleteBotPro_x32-x64.exe4 vs uk1HIyOQbk.exe |
Source: uk1HIyOQbk.exe | Binary or memory string: OriginalFilenameRoulleteBotPro_x32-x64.exe4 vs uk1HIyOQbk.exe |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: rasapi32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: rasman.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: rtutils.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: ondemandconnroutehelper.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: dhcpcsvc6.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: dhcpcsvc.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: fwpuclnt.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: schannel.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: mskeyprotect.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: ntasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: ncryptsslp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: textshaping.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: textinputframework.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: classification engine | Classification label: mal60.winEXE@1/1@1/1 |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uk1HIyOQbk.exe.log | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Mutant created: NULL |
Source: uk1HIyOQbk.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: uk1HIyOQbk.exe | ReversingLabs: Detection: 83% |
Source: uk1HIyOQbk.exe | Virustotal: Detection: 76% |
Source: uk1HIyOQbk.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: uk1HIyOQbk.exe | Static PE information: Image base 0x140000000 > 0x60000000 |
Source: uk1HIyOQbk.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Code function: 0_2_00007FFD9B8B16F5 push eax; retf | 0_2_00007FFD9B8B177D |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Code function: 0_2_00007FFD9B8B1755 push eax; retf | 0_2_00007FFD9B8B177D |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Code function: 0_2_00007FFD9B8B16A5 push eax; retf | 0_2_00007FFD9B8B177D |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Code function: 0_2_00007FFD9B8B159D push eax; retf | 0_2_00007FFD9B8B177D |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Memory allocated: 1320000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Memory allocated: 1B660000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe TID: 5848 | Thread sleep time: -30000s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe TID: 2364 | Thread sleep time: -922337203685477s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: uk1HIyOQbk.exe | Binary or memory string: MEOxkZEIRIftqEmuxjljwTdy |
Source: uk1HIyOQbk.exe, 00000000.00000002.1660929785.00000000008FC000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltt |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Process token adjusted: Debug | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Queries volume information: C:\Users\user\Desktop\uk1HIyOQbk.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\uk1HIyOQbk.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |