Windows Analysis Report
SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe
Analysis ID: 1431843
MD5: 99aa185a295411f72303fa9b7a497795
SHA1: 04cbab9197165b1648ef6fcbf0d1b60d2e0f7a95
SHA256: 4c00a2f66bb1d2470b17ef277f5f12a90ff2fc86a258cb82bf294835b87d4e02
Tags: exe
Infos:

Detection

Score: 26
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Contains functionality to detect virtual machines (IN, VMware)
Detected VMProtect packer
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C4211DA __EH_prolog3_GS,BCryptOpenAlgorithmProvider,SetLastError, 15_2_6C4211DA
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C42138B __EH_prolog3_GS,BCryptGenRandom,SetLastError, 15_2_6C42138B
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C44CE90 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 15_2_6C44CE90
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C45A850 CertGetNameStringW,CertFindExtension,CryptDecodeObjectEx, 15_2_6C45A850
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C45A541 GetLastError,CreateFileW,GetLastError,GetFileSizeEx,GetLastError,ReadFile,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,GetLastError,CloseHandle, 15_2_6C45A541
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C44D94F CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 15_2_6C44D94F
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C491B8B BCryptCloseAlgorithmProvider, 15_2_6C491B8B
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C45D04E CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 15_2_6C45D04E
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C45D004 CryptAcquireContextW,CryptCreateHash, 15_2_6C45D004
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C45D036 CryptHashData, 15_2_6C45D036
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C42134F BCryptCloseAlgorithmProvider, 15_2_6C42134F
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_61adbb9d-5
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-04-25 #001.txt Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\ProgramData\Letasoft\Sound Booster\Logs\Setup Log 2024-04-25 #001.txt.log Jump to behavior
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Wyatt\Documents\Visual Studio 2005\Projects\limelm-native-clients\bin\Release\TurboActivate.pdb source: is-470JU.tmp.1.dr
Source: Binary string: C:\pre\soft\compress\x64\CompressGainLimiter.pdb source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BE5B90 _wcslen,FindFirstFileW,FindNextFileW,FindClose, 8_2_00BE5B90
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BE3C78 __EH_prolog3_GS,FindFirstFileW,_wcslen,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose, 8_2_00BE3C78
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C43EFB1 recv,WSAGetLastError, 15_2_6C43EFB1
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, SoundBoosterTaskHost.exe, 0000000F.00000002.2048752619.000000006C492000.00000002.00000001.01000000.0000000E.sdmp, is-VDVIU.tmp.1.dr, is-UT7AG.tmp.1.dr String found in binary or memory: http://.css
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, SoundBoosterTaskHost.exe, 0000000F.00000002.2048752619.000000006C492000.00000002.00000001.01000000.0000000E.sdmp, is-VDVIU.tmp.1.dr, is-UT7AG.tmp.1.dr String found in binary or memory: http://.jpg
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-1AQ6S.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-1AQ6S.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceCodeSigningCA.crt0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-1AQ6S.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0O
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-1AQ6S.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-cs-g1.crl00
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-1AQ6S.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: is-VDV7H.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-1AQ6S.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-cs-g1.crl0L
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, SoundBoosterTaskHost.exe, 0000000F.00000002.2048752619.000000006C492000.00000002.00000001.01000000.0000000E.sdmp, is-VDVIU.tmp.1.dr, is-UT7AG.tmp.1.dr String found in binary or memory: http://html4/loose.dtd
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr String found in binary or memory: http://ocsp.comodoca.com02
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-1AQ6S.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-1AQ6S.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0P
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://ocsp.digicert.com0R
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: http://subca.ocsp-certum.com01
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: http://subca.ocsp-certum.com02
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: http://subca.ocsp-certum.com05
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: http://www.certum.pl/CPS0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, 00000000.00000003.2065768674.0000000002226000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, 00000000.00000003.1637946717.0000000002400000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2062141734.0000000002247000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.1641431576.00000000031F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.dk-soft.org/
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, 00000000.00000003.1639199932.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, 00000000.00000003.1638705530.0000000002400000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000000.1640080224.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-EMCVK.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr String found in binary or memory: http://www.innosetup.com/
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: http://www.letasoft.com
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, 00000000.00000003.1639199932.000000007FCE0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, 00000000.00000003.1638705530.0000000002400000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000000.1640080224.0000000000401000.00000020.00000001.01000000.00000004.sdmp, is-EMCVK.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr String found in binary or memory: http://www.remobjects.com/ps
Source: SoundBoosterTaskHost.exe, 0000000F.00000002.2048357672.0000000000978000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wyday.com/limelm/api/rest/
Source: is-UT7AG.tmp.1.dr String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: SoundBoosterTaskHost.exe String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr String found in binary or memory: https://sectigo.com/CPS0U
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr String found in binary or memory: https://secure.comodo.com/CPS0L
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: https://www.certum.pl/CPS0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-1AQ6S.tmp.1.dr, is-470JU.tmp.1.dr, is-UT7AG.tmp.1.dr, is-VDV7H.tmp.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, 00000000.00000003.2065768674.000000000228D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2062141734.00000000022ED000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.letasoft.com
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, 00000000.00000003.2065768674.000000000228D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2062141734.00000000022ED000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.letasoft.com)
Source: is-A00SO.tmp.1.dr, is-Q7VFD.tmp.1.dr String found in binary or memory: https://www.letasoft.com/help/#b1
Source: is-A00SO.tmp.1.dr, is-Q7VFD.tmp.1.dr String found in binary or memory: https://www.letasoft.com/help/#b5
Source: is-0B8RS.tmp.1.dr String found in binary or memory: https://www.letasoft.com/ru/help/#b1
Source: is-0B8RS.tmp.1.dr String found in binary or memory: https://www.letasoft.com/ru/help/#b5
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, is-U6OVG.tmp.1.dr, is-FO5GS.tmp.1.dr, is-V5IV6.tmp.1.dr, is-EMCVK.tmp.1.dr, is-Q41UV.tmp.1.dr, is-VDVIU.tmp.1.dr, is-P02PU.tmp.1.dr, is-HCK3C.tmp.1.dr, is-GVBLF.tmp.1.dr, is-4PLJA.tmp.1.dr, is-M1S53.tmp.1.dr, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr, is-HJ5VT.tmp.1.dr, is-3TFGO.tmp.1.dr, is-9OI0H.tmp.1.dr String found in binary or memory: https://www.letasoft.com0
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, 00000000.00000003.1637946717.0000000002400000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.1641431576.00000000031F0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.letasoft.com0https://www.letasoft.com0https://www.letasoft.com
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, 00000000.00000003.2065768674.000000000228D000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2062141734.00000000022ED000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.letasoft.comq
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, SoundBoosterTaskHost.exe, SoundBoosterTaskHost.exe, 0000000F.00000002.2048752619.000000006C492000.00000002.00000001.01000000.0000000E.sdmp, SoundBoosterTaskHost.exe, 0000000F.00000002.2048357672.0000000000978000.00000004.00000020.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-UT7AG.tmp.1.dr String found in binary or memory: https://wyday.com/limelm/api/rest/
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, SoundBoosterTaskHost.exe, 0000000F.00000002.2048752619.000000006C492000.00000002.00000001.01000000.0000000E.sdmp, is-VDVIU.tmp.1.dr, is-UT7AG.tmp.1.dr String found in binary or memory: https://wyday.com/limelm/api/rest/httpsSignature
Source: is-470JU.tmp.1.dr String found in binary or memory: https://wyday.com/limelm/buy-redirect/%u/admin
Source: is-A00SO.tmp.1.dr, is-Q7VFD.tmp.1.dr, is-0B8RS.tmp.1.dr String found in binary or memory: https://wyday.com/limelm/help/faq/#fix-broken-wmi
Source: is-470JU.tmp.1.dr String found in binary or memory: https://wyday.com/limelm/help/faq/#fix-broken-wmivalTranslationtitlestartstitlepluralstitlesingleact

System Summary
barindex
Detected VMProtect packer
Source: is-VDVIU.tmp.1.dr Static PE information: .vmp0 and .vmp1 section names
Contains functionality to communicate with device drivers
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C3F5929: SHGetFolderPathW,GetVolumePathNameW,GetVolumeNameForVolumeMountPointW,CreateFileW,DeviceIoControl,DeviceIoControl,CloseHandle, 15_2_6C3F5929
Contains functionality to delete services
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_0042359F OpenSCManagerW,GetLastError,GetLastError,GetLastError,OpenServiceW,GetLastError,GetLastError,ControlService,Sleep,Sleep,QueryServiceStatus,DeleteService,GetLastError,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 13_2_0042359F
Detected potential crypto function
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BEA830 8_2_00BEA830
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BF21B0 8_2_00BF21B0
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00C011DC 8_2_00C011DC
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BE99A0 8_2_00BE99A0
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BFC2AE 8_2_00BFC2AE
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BE9DB0 8_2_00BE9DB0
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BF1D52 8_2_00BF1D52
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BFBE00 8_2_00BFBE00
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BE9FA0 8_2_00BE9FA0
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BF1F81 8_2_00BF1F81
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_00429843 13_2_00429843
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_004368DC 13_2_004368DC
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_00431940 13_2_00431940
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_004293B7 13_2_004293B7
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_004295E6 13_2_004295E6
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_00431DEE 13_2_00431DEE
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C3E601A 15_2_6C3E601A
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C480C69 15_2_6C480C69
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C42ACA4 15_2_6C42ACA4
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C430CBC 15_2_6C430CBC
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C428F30 15_2_6C428F30
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C426F8D 15_2_6C426F8D
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C42A849 15_2_6C42A849
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C410979 15_2_6C410979
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C45E920 15_2_6C45E920
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C428BDD 15_2_6C428BDD
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C428BEA 15_2_6C428BEA
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C42A406 15_2_6C42A406
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C46E4D0 15_2_6C46E4D0
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C442484 15_2_6C442484
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C46C568 15_2_6C46C568
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C484629 15_2_6C484629
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C432706 15_2_6C432706
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C432146 15_2_6C432146
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C42A1E2 15_2_6C42A1E2
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C45C1F6 15_2_6C45C1F6
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C488218 15_2_6C488218
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C3F6296 15_2_6C3F6296
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C488338 15_2_6C488338
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C44BC04 15_2_6C44BC04
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C475CC1 15_2_6C475CC1
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C3F1F8C 15_2_6C3F1F8C
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C453801 15_2_6C453801
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C3E1859 15_2_6C3E1859
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C46183E 15_2_6C46183E
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C429899 15_2_6C429899
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C40F981 15_2_6C40F981
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C3F7471 15_2_6C3F7471
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C46907F 15_2_6C46907F
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C3F711B 15_2_6C3F711B
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C43D130 15_2_6C43D130
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C43B206 15_2_6C43B206
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C455237 15_2_6C455237
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: String function: 0042243D appears 35 times
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: String function: 00BE19BD appears 47 times
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: String function: 00BEDA80 appears 35 times
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: String function: 6C43350C appears 149 times
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: String function: 6C43EEAA appears 152 times
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: String function: 6C433AC0 appears 67 times
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: String function: 6C3E9279 appears 70 times
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: String function: 6C432EF2 appears 42 times
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: String function: 6C4334D8 appears 303 times
PE file contains executable resources (Code or Archives)
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-EMCVK.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-EMCVK.tmp.1.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
PE file does not import any functions
Source: is-HCK3C.tmp.1.dr Static PE information: No import functions for PE file found
Source: is-3TFGO.tmp.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, 00000000.00000003.1639199932.000000007FE39000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe, 00000000.00000003.1638705530.000000000255D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameshfolder.dll~/ vs SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: is-UT7AG.tmp.1.dr Binary string: ASSOCIATORS OF {Win32_LogicalDisk.DeviceID="WQLDeviceID"} WHERE AssocClass = Win32_LogicalDiskToPartition KEYSONLY"} WHERE AssocClass = Win32_DiskDriveToDiskPartition KEYSONLYASSOCIATORS OF {Win32_DiskPartition.DeviceID=""Select Model, SerialNumber from Win32_DiskDrive WHERE DeviceID="SerialNumberModelPnpInstanceIDSYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connectionroot\wmi OR DeviceName="\\DEVICE\\SELECT InstanceName, DeviceName FROM MSNdis_EnumerateAdapter WHERE DeviceName="\\DEVICE\\InstanceNameDeviceName OR InstanceName="SELECT InstanceName, NdisPermanentAddress FROM MSNdis_EthernetPermanentAddress WHERE InstanceName="AddressNdisPermanentAddressWin32_NetworkAdapter.DeviceID="EnableDisableReturnValueTRUESELECT DeviceID, PermanentAddress FROM MSFT_NetAdapter WHERE (Virtual = OR PNPDeviceID LIKE "XEN%\\%" OR PNPDeviceID LIKE "VMBUS\\%") AND (InterfaceType = 6 OR InterfaceType = 71) AND NOT NdisPhysicalMedium = 10FALSEroot\StandardCimv2PermanentAddressGUIDSELECT GUID, DeviceID FROM Win32_NetworkAdapter WHERE PhysicalAdapter = TRUE AND (PNPDeviceID LIKE "PCI\\%" OR PNPDeviceID LIKE "USB\\%" OR PNPDeviceID LIKE "SD\\%" OR PNPDeviceID LIKE "XEN%\\%" OR PNPDeviceID LIKE "VMBUS\\%" OR PNPDeviceID LIKE "%BDRV\\%") AND NOT ServiceName LIKE "usbrndis%"Winmgmtroot\cimv2Select Name, SerialNumber, SMBIOSBIOSVersion, Manufacturer, Version from Win32_BIOSSelect Model from Win32_DiskDriveParallelsVMwareSMBIOSBIOSVersionNameManufacturerVirtualBoxVersionXenProductSelect Product, Manufacturer from Win32_BaseBoardProcessorIdSelect ProcessorId, Name, Manufacturer from Win32_ProcessorCapacitySelect Capacity from Win32_PhysicalMemorySbieDll.dll
Source: classification engine Classification label: sus26.evad.winEXE@21/57@0/0
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: GetModuleFileNameW,GetLastError,GetLastError,GetLastError,OpenSCManagerW,GetLastError,GetLastError,GetLastError,CreateServiceW,GetLastError,GetLastError,ChangeServiceConfig2W,GetLastError,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 13_2_004232C3
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C3F6F7F __EH_prolog3_GS,CoCreateInstance,SysFreeString,CoSetProxyBlanket, 15_2_6C3F6F7F
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_00423A4B __EH_prolog3_GS,EnterCriticalSection,LeaveCriticalSection,CreateWellKnownSid,StartServiceCtrlDispatcherW,GetLastError,GetLastError,GetLastError, 13_2_00423A4B
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_00423A4B __EH_prolog3_GS,EnterCriticalSection,LeaveCriticalSection,CreateWellKnownSid,StartServiceCtrlDispatcherW,GetLastError,GetLastError,GetLastError, 13_2_00423A4B
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:916:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Mutant created: \Sessions\1\BaseNamedObjects\SetupMutex{6C6CF38B-11DD-45C6-A15E-A3A0C4CE60F8}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1700:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe File created: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Command line argument: ^oC 13_2_00436EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: SoundBoosterTaskHost.exe String found in binary or memory: -InstallAPO
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RARHB.tmp\_isetup\_setup64.tmp Evasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Process created: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp "C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp" /SL5="$20446,6484768,412160,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe"
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process created: C:\Users\user\AppData\Local\Temp\is-RARHB.tmp\_isetup\_setup64.tmp helper 105 0x544
Source: C:\Users\user\AppData\Local\Temp\is-RARHB.tmp\_isetup\_setup64.tmp Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process created: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe "C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe" -InstallAPO
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Letasoft Sound Booster\Sbapo.dll"
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe /s "C:\Program Files (x86)\Letasoft Sound Booster\Sbapo.dll"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process created: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe "C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe" -install
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process created: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe "C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe" -Activate
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Process created: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp "C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp" /SL5="$20446,6484768,412160,C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process created: C:\Users\user\AppData\Local\Temp\is-RARHB.tmp\_isetup\_setup64.tmp helper 105 0x544 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process created: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe "C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe" -InstallAPO Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process created: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe "C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe" -install Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process created: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe "C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe" -Activate Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Letasoft Sound Booster\Sbapo.dll" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe /s "C:\Program Files (x86)\Letasoft Sound Booster\Sbapo.dll" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: windows.ui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: inputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-RARHB.tmp\_isetup\_setup64.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: apocontrol.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: audioeng.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: avrt.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: audiosrv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: audiosrvpolicymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mmdevapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: hrtfapo.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.media.devices.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: comppkgsup.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coreaudiopolicymanagerext.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: audioses.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.applicationmodel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: turboactivate.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: Letasoft Sound Booster.lnk.1.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\Letasoft Sound Booster\SoundBooster.exe
Source: Diagnostics Report Creator.lnk.1.dr LNK file: ..\..\..\..\..\..\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe
Source: Letasoft Sound Booster.lnk0.1.dr LNK file: ..\..\..\Program Files (x86)\Letasoft Sound Booster\SoundBooster.exe
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Window found: window name: TSelectLanguageForm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Static PE information: certificate valid
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Static file information: File size 6973352 > 1048576
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Wyatt\Documents\Visual Studio 2005\Projects\limelm-native-clients\bin\Release\TurboActivate.pdb source: is-470JU.tmp.1.dr
Source: Binary string: C:\pre\soft\compress\x64\CompressGainLimiter.pdb source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-1AQ6S.tmp.1.dr
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BE20D3 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,FreeLibrary, 8_2_00BE20D3
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp1
PE file contains sections with non-standard names
Source: is-9OI0H.tmp.1.dr Static PE information: section name: RT_CODE
Source: is-9OI0H.tmp.1.dr Static PE information: section name: RT_CONST
Source: is-VDV7H.tmp.1.dr Static PE information: section name: .text1
Source: is-VDV7H.tmp.1.dr Static PE information: section name: .data1
Source: is-VDV7H.tmp.1.dr Static PE information: section name: .trace
Source: is-1AQ6S.tmp.1.dr Static PE information: section name: _RDATA
Source: is-4PLJA.tmp.1.dr Static PE information: section name: .giats
Source: is-4PLJA.tmp.1.dr Static PE information: section name: .vmp0
Source: is-4PLJA.tmp.1.dr Static PE information: section name: .vmp1
Source: is-VDVIU.tmp.1.dr Static PE information: section name: .vmp0
Source: is-VDVIU.tmp.1.dr Static PE information: section name: .vmp1
Registers a DLL
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Letasoft Sound Booster\Sbapo.dll"
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BEDAC6 push ecx; ret 8_2_00BEDAD9
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BED5A7 push ecx; ret 8_2_00BED5BA
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_00424932 push ecx; ret 13_2_00424945
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_00424F66 push ecx; ret 13_2_00424F79
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C43390F push ecx; ret 15_2_6C433932
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C4334A1 push ecx; ret 15_2_6C4334B4
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\SBH.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\is-EMCVK.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\SoundBooster.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Users\user\AppData\Local\Temp\is-RARHB.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\Sbapo.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\UltraActivate.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\is-P02PU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\is-470JU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\Logger64.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\is-HJ5VT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterHelper.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\is-UT7AG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\SBH64.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\Filters\gain.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\TurboActivate.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\is-U6OVG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\Logger32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\Filters\limit.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe File created: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\is-FO5GS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\is-GVBLF.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\Lang\is-HCK3C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\Lang\is-3TFGO.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\TurboActivate.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\is-M1S53.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\Filters\is-1AQ6S.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\is-4PLJA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\is-VDVIU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\Filters\is-VDV7H.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\Lang\SoundBoosterRU.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\Lang\SoundBoosterBR.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\is-V5IV6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\is-9OI0H.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\ApoControl.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Program Files (x86)\Letasoft Sound Booster\is-Q41UV.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-04-25 #001.txt Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\ProgramData\Letasoft\Sound Booster\Logs\Setup Log 2024-04-25 #001.txt.log Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Letasoft Sound Booster Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Letasoft Sound Booster\Letasoft Sound Booster.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Letasoft Sound Booster\Diagnostics Report Creator.lnk Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_00423A4B __EH_prolog3_GS,EnterCriticalSection,LeaveCriticalSection,CreateWellKnownSid,StartServiceCtrlDispatcherW,GetLastError,GetLastError,GetLastError, 13_2_00423A4B
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C4080C1 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 15_2_6C4080C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect virtual machines (IN, VMware)
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C3F555F in eax, dx 15_2_6C3F555F
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SoundBoosterTaskHost.exe, 0000000F.00000002.2048752619.000000006C492000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: ?LASSOCIATORS OF {WIN32_LOGICALDISK.DEVICEID="WQLDEVICEID"} WHERE ASSOCCLASS = WIN32_LOGICALDISKTOPARTITION KEYSONLY"} WHERE ASSOCCLASS = WIN32_DISKDRIVETODISKPARTITION KEYSONLYASSOCIATORS OF {WIN32_DISKPARTITION.DEVICEID=""SELECT MODEL, SERIALNUMBER FROM WIN32_DISKDRIVE WHERE DEVICEID="SERIALNUMBERMODELPNPINSTANCEIDSYSTEM\CURRENTCONTROLSET\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\%S\CONNECTIONROOT\WMI OR DEVICENAME="\\DEVICE\\SELECT INSTANCENAME, DEVICENAME FROM MSNDIS_ENUMERATEADAPTER WHERE DEVICENAME="\\DEVICE\\INSTANCENAMEDEVICENAME OR INSTANCENAME="SELECT INSTANCENAME, NDISPERMANENTADDRESS FROM MSNDIS_ETHERNETPERMANENTADDRESS WHERE INSTANCENAME="ADDRESSNDISPERMANENTADDRESSWIN32_NETWORKADAPTER.DEVICEID="ENABLEDISABLERETURNVALUETRUESELECT DEVICEID, PERMANENTADDRESS FROM MSFT_NETADAPTER WHERE (VIRTUAL = OR PNPDEVICEID LIKE "XEN%\\%" OR PNPDEVICEID LIKE "VMBUS\\%") AND (INTERFACETYPE = 6 OR INTERFACETYPE = 71) AND NOT NDISPHYSICALMEDIUM = 10FALSEROOT\STANDARDCIMV2PERMANENTADDRESSGUIDSELECT GUID, DEVICEID FROM WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER = TRUE AND (PNPDEVICEID LIKE "PCI\\%" OR PNPDEVICEID LIKE "USB\\%" OR PNPDEVICEID LIKE "SD\\%" OR PNPDEVICEID LIKE "XEN%\\%" OR PNPDEVICEID LIKE "VMBUS\\%" OR PNPDEVICEID LIKE "%BDRV\\%") AND NOT SERVICENAME LIKE "USBRNDIS%"WINMGMTROOT\CIMV2SELECT NAME, SERIALNUMBER, SMBIOSBIOSVERSION, MANUFACTURER, VERSION FROM WIN32_BIOSSELECT MODEL FROM WIN32_DISKDRIVEPARALLELSVMWARESMBIOSBIOSVERSIONNAMEMANUFACTURERVIRTUALBOXVERSIONXENPRODUCTSELECT PRODUCT, MANUFACTURER FROM WIN32_BASEBOARDPROCESSORIDSELECT PROCESSORID, NAME, MANUFACTURER FROM WIN32_PROCESSORCAPACITYSELECT CAPACITY FROM WIN32_PHYSICALMEMORYSBIEDLL.DLL
Source: SoundBoosterTaskHost.exe Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2056520577.00000000064ED000.00000004.00001000.00020000.00000000.sdmp, is-VDVIU.tmp.1.dr, is-UT7AG.tmp.1.dr Binary or memory string: ASSOCIATORS OF {WIN32_LOGICALDISK.DEVICEID="WQLDEVICEID"} WHERE ASSOCCLASS = WIN32_LOGICALDISKTOPARTITION KEYSONLY"} WHERE ASSOCCLASS = WIN32_DISKDRIVETODISKPARTITION KEYSONLYASSOCIATORS OF {WIN32_DISKPARTITION.DEVICEID=""SELECT MODEL, SERIALNUMBER FROM WIN32_DISKDRIVE WHERE DEVICEID="SERIALNUMBERMODELPNPINSTANCEIDSYSTEM\CURRENTCONTROLSET\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\%S\CONNECTIONROOT\WMI OR DEVICENAME="\\DEVICE\\SELECT INSTANCENAME, DEVICENAME FROM MSNDIS_ENUMERATEADAPTER WHERE DEVICENAME="\\DEVICE\\INSTANCENAMEDEVICENAME OR INSTANCENAME="SELECT INSTANCENAME, NDISPERMANENTADDRESS FROM MSNDIS_ETHERNETPERMANENTADDRESS WHERE INSTANCENAME="ADDRESSNDISPERMANENTADDRESSWIN32_NETWORKADAPTER.DEVICEID="ENABLEDISABLERETURNVALUETRUESELECT DEVICEID, PERMANENTADDRESS FROM MSFT_NETADAPTER WHERE (VIRTUAL = OR PNPDEVICEID LIKE "XEN%\\%" OR PNPDEVICEID LIKE "VMBUS\\%") AND (INTERFACETYPE = 6 OR INTERFACETYPE = 71) AND NOT NDISPHYSICALMEDIUM = 10FALSEROOT\STANDARDCIMV2PERMANENTADDRESSGUIDSELECT GUID, DEVICEID FROM WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER = TRUE AND (PNPDEVICEID LIKE "PCI\\%" OR PNPDEVICEID LIKE "USB\\%" OR PNPDEVICEID LIKE "SD\\%" OR PNPDEVICEID LIKE "XEN%\\%" OR PNPDEVICEID LIKE "VMBUS\\%" OR PNPDEVICEID LIKE "%BDRV\\%") AND NOT SERVICENAME LIKE "USBRNDIS%"WINMGMTROOT\CIMV2SELECT NAME, SERIALNUMBER, SMBIOSBIOSVERSION, MANUFACTURER, VERSION FROM WIN32_BIOSSELECT MODEL FROM WIN32_DISKDRIVEPARALLELSVMWARESMBIOSBIOSVERSIONNAMEMANUFACTURERVIRTUALBOXVERSIONXENPRODUCTSELECT PRODUCT, MANUFACTURER FROM WIN32_BASEBOARDPROCESSORIDSELECT PROCESSORID, NAME, MANUFACTURER FROM WIN32_PROCESSORCAPACITYSELECT CAPACITY FROM WIN32_PHYSICALMEMORYSBIEDLL.DLL
Contains functionality to query network adapater information
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: __EH_prolog3_GS_align,GetAdaptersInfo,GetAdaptersInfo,GetAdaptersInfo,CoInitializeEx,CoCreateInstance,OpenSCManagerW,OpenServiceW,QueryServiceConfigW,GetLastError,LocalAlloc,QueryServiceConfigW,ChangeServiceConfigW,LocalFree,CloseServiceHandle,CloseServiceHandle,CoSetProxyBlanket,SysFreeString,SysFreeString,SysFreeString,SysFreeString,VariantClear,SysStringLen,VariantClear,VariantClear,SysStringLen,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,VariantClear,SysFreeString,SysStringLen,VariantClear,SysFreeString,SysStringLen,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,SysFreeString,SysFreeString,VariantClear,CoUninitialize, 15_2_6C3F7471
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\SBH.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\SoundBooster.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\Sbapo.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\UltraActivate.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\is-P02PU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\is-470JU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\Logger64.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\is-HJ5VT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterHelper.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\is-UT7AG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\SBH64.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\Filters\gain.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\TurboActivate.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\is-U6OVG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\Logger32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\Filters\limit.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\is-FO5GS.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\Lang\is-HCK3C.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\Lang\is-3TFGO.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\Filters\is-1AQ6S.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\is-4PLJA.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\is-VDVIU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\Filters\is-VDV7H.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\Lang\SoundBoosterBR.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\Lang\SoundBoosterRU.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\is-V5IV6.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\is-9OI0H.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Letasoft Sound Booster\is-Q41UV.tmp Jump to dropped file
Found evasive API chain (date check)
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Queries keyboard layouts
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BE5B90 _wcslen,FindFirstFileW,FindNextFileW,FindClose, 8_2_00BE5B90
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BE3C78 __EH_prolog3_GS,FindFirstFileW,_wcslen,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose, 8_2_00BE3C78
Source: is-Q41UV.tmp.1.dr Binary or memory string: Hooks\HookEngineLhook.cppCHookEngineLhook::InstallHookALREADY INSTALLEDLhook_SetHook() FAILEDCHookEngineLhook::RemoveHookLhook_Unhook() FAILED SOFTWARE\Letasoft\Sound BoosterMLSCKLHookSharedSoundBoosterdbgmondevenvdwwinjs7jitvsjitdebuggermonitortaskmgrdxerrdllhostsndvoltaskengrundll32werfaultwuauclttsvncachedwmsndvol32errlookconhostexplorerravcpl642gistraynotifiersyntphelpermssecessyntpenhsidebarregeditnotepad++wcouriersourcetreeasscrprotaskhostsvchostwidgetstaskhostwtaskhostexsoftware_reporter_toolsihostcoresyncagsserviceadobeipcbrokeradobe desktop servicemsvsmonrtkngui64dexploresrspremiumpanelvmware-unity-helpervmplayervmware-vmxqt5appwrapperrarextloaderRadeonSettingsunins000turboactivatedbgviewmsascuilmsascuismartscreenKLHookDll.cppCKLHookProcess::AttachAPIsAttachAPIs: m_bIsProcessIgnoredAttaching to api failed more than allowed number of times. api=.exeCKLHookProcess::OnDllProcessDetachDLL_PROCESS_DETACH starting=DetachAPIs() completedSound BoosterCKLHookProcess::Initializecalled for process id=CreateGlobalStructs() FAILEDIVSTManager::Initialize SUCCEEDED FAILEDInitShared FAILEDFAILED TO GET PROCESS START TIME`H
Source: SoundBoosterTaskHost.exe Binary or memory string: VMware
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2063898887.000000000077D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SoundBoosterTaskHost.exe, 0000000F.00000002.2048357672.0000000000978000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp, 00000001.00000003.2063898887.000000000077D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\{
Source: is-UT7AG.tmp.1.dr Binary or memory string: ASSOCIATORS OF {Win32_LogicalDisk.DeviceID="WQLDeviceID"} WHERE AssocClass = Win32_LogicalDiskToPartition KEYSONLY"} WHERE AssocClass = Win32_DiskDriveToDiskPartition KEYSONLYASSOCIATORS OF {Win32_DiskPartition.DeviceID=""Select Model, SerialNumber from Win32_DiskDrive WHERE DeviceID="SerialNumberModelPnpInstanceIDSYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connectionroot\wmi OR DeviceName="\\DEVICE\\SELECT InstanceName, DeviceName FROM MSNdis_EnumerateAdapter WHERE DeviceName="\\DEVICE\\InstanceNameDeviceName OR InstanceName="SELECT InstanceName, NdisPermanentAddress FROM MSNdis_EthernetPermanentAddress WHERE InstanceName="AddressNdisPermanentAddressWin32_NetworkAdapter.DeviceID="EnableDisableReturnValueTRUESELECT DeviceID, PermanentAddress FROM MSFT_NetAdapter WHERE (Virtual = OR PNPDeviceID LIKE "XEN%\\%" OR PNPDeviceID LIKE "VMBUS\\%") AND (InterfaceType = 6 OR InterfaceType = 71) AND NOT NdisPhysicalMedium = 10FALSEroot\StandardCimv2PermanentAddressGUIDSELECT GUID, DeviceID FROM Win32_NetworkAdapter WHERE PhysicalAdapter = TRUE AND (PNPDeviceID LIKE "PCI\\%" OR PNPDeviceID LIKE "USB\\%" OR PNPDeviceID LIKE "SD\\%" OR PNPDeviceID LIKE "XEN%\\%" OR PNPDeviceID LIKE "VMBUS\\%" OR PNPDeviceID LIKE "%BDRV\\%") AND NOT ServiceName LIKE "usbrndis%"Winmgmtroot\cimv2Select Name, SerialNumber, SMBIOSBIOSVersion, Manufacturer, Version from Win32_BIOSSelect Model from Win32_DiskDriveParallelsVMwareSMBIOSBIOSVersionNameManufacturerVirtualBoxVersionXenProductSelect Product, Manufacturer from Win32_BaseBoardProcessorIdSelect ProcessorId, Name, Manufacturer from Win32_ProcessorCapacitySelect Capacity from Win32_PhysicalMemorySbieDll.dll
Source: SoundBoosterTaskHost.exe, 0000000F.00000002.2048752619.000000006C492000.00000002.00000001.01000000.0000000E.sdmp Binary or memory string: ?lASSOCIATORS OF {Win32_LogicalDisk.DeviceID="WQLDeviceID"} WHERE AssocClass = Win32_LogicalDiskToPartition KEYSONLY"} WHERE AssocClass = Win32_DiskDriveToDiskPartition KEYSONLYASSOCIATORS OF {Win32_DiskPartition.DeviceID=""Select Model, SerialNumber from Win32_DiskDrive WHERE DeviceID="SerialNumberModelPnpInstanceIDSYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connectionroot\wmi OR DeviceName="\\DEVICE\\SELECT InstanceName, DeviceName FROM MSNdis_EnumerateAdapter WHERE DeviceName="\\DEVICE\\InstanceNameDeviceName OR InstanceName="SELECT InstanceName, NdisPermanentAddress FROM MSNdis_EthernetPermanentAddress WHERE InstanceName="AddressNdisPermanentAddressWin32_NetworkAdapter.DeviceID="EnableDisableReturnValueTRUESELECT DeviceID, PermanentAddress FROM MSFT_NetAdapter WHERE (Virtual = OR PNPDeviceID LIKE "XEN%\\%" OR PNPDeviceID LIKE "VMBUS\\%") AND (InterfaceType = 6 OR InterfaceType = 71) AND NOT NdisPhysicalMedium = 10FALSEroot\StandardCimv2PermanentAddressGUIDSELECT GUID, DeviceID FROM Win32_NetworkAdapter WHERE PhysicalAdapter = TRUE AND (PNPDeviceID LIKE "PCI\\%" OR PNPDeviceID LIKE "USB\\%" OR PNPDeviceID LIKE "SD\\%" OR PNPDeviceID LIKE "XEN%\\%" OR PNPDeviceID LIKE "VMBUS\\%" OR PNPDeviceID LIKE "%BDRV\\%") AND NOT ServiceName LIKE "usbrndis%"Winmgmtroot\cimv2Select Name, SerialNumber, SMBIOSBIOSVersion, Manufacturer, Version from Win32_BIOSSelect Model from Win32_DiskDriveParallelsVMwareSMBIOSBIOSVersionNameManufacturerVirtualBoxVersionXenProductSelect Product, Manufacturer from Win32_BaseBoardProcessorIdSelect ProcessorId, Name, Manufacturer from Win32_ProcessorCapacitySelect Capacity from Win32_PhysicalMemorySbieDll.dll
Source: is-HJ5VT.tmp.1.dr Binary or memory string: Hooks\HookEngineLhook.cppCHookEngineLhook::InstallHookALREADY INSTALLEDLhook_SetHook() FAILEDCHookEngineLhook::RemoveHookLhook_Unhook() FAILED %s%sSOFTWARE\Letasoft\Sound BoosterMLSCKLHookSharedSoundBoosterdbgmondevenvdwwinjs7jitvsjitdebuggermonitortaskmgrdxerrdllhostsndvoltaskengrundll32werfaultwuauclttsvncachedwmsndvol32errlookconhostexplorerravcpl642gistraynotifiersyntphelpermssecessyntpenhsidebarregeditnotepad++wcouriersourcetreeasscrprotaskhostsvchostwidgetstaskhostwtaskhostexsoftware_reporter_toolsihostcoresyncagsserviceadobeipcbrokeradobe desktop servicemsvsmonrtkngui64dexploresrspremiumpanelvmware-unity-helpervmplayervmware-vmxqt5appwrapperrarextloaderRadeonSettingsunins000turboactivatedbgviewmsascuilmsascuismartscreenKLHookDll.cppCKLHookProcess::AttachAPIsAttachAPIs: m_bIsProcessIgnoredAttaching to api failed more than allowed number of times. api=.exeCKLHookProcess::OnDllProcessDetachDLL_PROCESS_DETACH starting=DetachAPIs() completedSound BoosterCKLHookProcess::Initializecalled for process id=CreateGlobalStructs() FAILEDIVSTManager::Initialize SUCCEEDED FAILEDInitShared FAILEDFAILED TO GET PROCESS START TIME
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BF0667 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00BF0667
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BE20D3 __EH_prolog3_GS,LoadLibraryW,GetProcAddress,FreeLibrary, 8_2_00BE20D3
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BF3D31 mov eax, dword ptr fs:[00000030h] 8_2_00BF3D31
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_0042AEAB mov eax, dword ptr fs:[00000030h] 13_2_0042AEAB
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C474C77 mov eax, dword ptr fs:[00000030h] 15_2_6C474C77
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C47FCF6 mov eax, dword ptr fs:[00000030h] 15_2_6C47FCF6
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C47FCB2 mov eax, dword ptr fs:[00000030h] 15_2_6C47FCB2
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BFA26A GetProcessHeap, 8_2_00BFA26A
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BED87A SetUnhandledExceptionFilter, 8_2_00BED87A
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BE7180 UnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00BE7180
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BED171 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00BED171
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BF0667 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00BF0667
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BED71B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00BED71B
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_00424A45 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_00424A45
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_00427B17 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00427B17
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_00424BB8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00424BB8
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_00424D17 SetUnhandledExceptionFilter, 13_2_00424D17
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C432F41 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_6C432F41
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C433B06 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_6C433B06
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C469BB2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_6C469BB2
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Process created: C:\Users\user\AppData\Local\Temp\is-RARHB.tmp\_isetup\_setup64.tmp helper 105 0x544 Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\Letasoft Sound Booster\Sbapo.dll" Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C3F31FB AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl, 15_2_6C3F31FB
Source: C:\Users\user\AppData\Local\Temp\is-RARHB.tmp\_isetup\_setup64.tmp Code function: 5_2_0000000140001000 GetNamedSecurityInfoW,AllocateAndInitializeSid,SetEntriesInAclW,SetNamedSecurityInfoW,LocalFree,FreeSid,LocalFree,GetLastError, 5_2_0000000140001000
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BED8D5 cpuid 8_2_00BED8D5
Contains functionality to query locales information (e.g. system language)
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 15_2_6C486F2A
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: GetLocaleInfoW, 15_2_6C47DE7E
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: EnumSystemLocalesW, 15_2_6C47D8C5
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 15_2_6C48788B
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: GetLocaleInfoW, 15_2_6C487590
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 15_2_6C4876B6
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: GetLocaleInfoW, 15_2_6C4877BC
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: GetLocaleInfoW, 15_2_6C487125
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: EnumSystemLocalesW, 15_2_6C4871CC
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: EnumSystemLocalesW, 15_2_6C487217
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: EnumSystemLocalesW, 15_2_6C4872B2
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 15_2_6C48733D
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VT15G.tmp\SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Queries volume information: C:\ProgramData\DIBsection\20986331705021ca58edc424.96250074 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Queries volume information: C:\ProgramData\DIBsection\20986331705021ca58edc424.96250074 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterService.exe Code function: 13_2_004210C4 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z,__EH_prolog3,CreateNamedPipeW,CreateThread,SetThreadPriority,ResumeThread,CloseHandle, 13_2_004210C4
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BEB900 GetLocalTime,SystemTimeToFileTime,FileTimeToDosDateTime, 8_2_00BEB900
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BF5576 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 8_2_00BF5576
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 8_2_00BE1EE8 NetWkstaGetInfo,NetApiBufferFree,GetVersionExW,GetVersionExW,GetVersionExW, 8_2_00BE1EE8
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C448197 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,__fprintf_l,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket, 15_2_6C448197
Source: C:\Program Files (x86)\Letasoft Sound Booster\SoundBoosterTaskHost.exe Code function: 15_2_6C4402AC ___from_strstr_to_strchr,htons,htons,htons,bind,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError, 15_2_6C4402AC
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431843 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 25/04/2024 Architecture: WINDOWS Score: 26 53 Detected VMProtect packer 2->53 55 Contains functionality to detect virtual machines (IN, VMware) 2->55 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->57 9 SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.exe 2 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        process3 file4 49 SecuriteInfo.com.T...abot.14696.3514.tmp, PE32 9->49 dropped 16 SecuriteInfo.com.Trojan.Win32.Pikabot.14696.3514.tmp 31 47 9->16         started        process5 file6 41 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->41 dropped 43 C:\...\unins000.exe (copy), PE32 16->43 dropped 45 C:\Program Files (x86)\...\is-VDVIU.tmp, PE32 16->45 dropped 47 34 other files (none is malicious) 16->47 dropped 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->51 20 SoundBoosterTaskHost.exe 29 16->20         started        23 SoundBoosterTaskHost.exe 15 5 16->23         started        25 SoundBoosterService.exe 4 16->25         started        27 _setup64.tmp 1 16->27         started        signatures7 process8 signatures9 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->59 29 conhost.exe 20->29         started        31 regsvr32.exe 23->31         started        33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        process10 process11 39 regsvr32.exe 15 31->39         started       
No contacted IP infos